Filter square brackets on Kibana

Question

I'm struggling to filter square brackets on my log messages in Kibana. Suppose I have the messages:

[BOOK] The Book 32 was sold
Exception on buying BOOK

And I want to filter only messages having exactly [BOOK] (so I should get only the first one).

I have tried filtering free text with all kinds of escaping I could think of:

[BOOK]
"[BOOK]"
\[BOOK\]
"\[BOOK\]"
\\[BOOK\\]

And also tried filtering by the message field:

message: [BOOK]*
message: "[BOOK]*"
message: \[BOOK\]*
message: "\[BOOK\]*"

But Kibana seems to simply ignore the square brackets and always brings both messages, highlighting only the BOOK word.

How can I force it search for the []?

Answer 1

if your message field is an analysed text, then the brackets are dropped by the analyzer. You should run your query against a keyword data type. More precisely, you will need to run a regexp against a keyword data type, such as a prefix or a wildcard query.

Let's assume that the mapping of message is keyword. If [BOOK] is always at the beginning of your log message, then a valid query is the following:

{ "query": {
  "prefix": {
    "message": "[BOOK]"
  }
}}

If instead you would like to search for [BOOK] in any part of the message value, then you would need something like:

{ "query": {
  "wildcard": {
    "message": "*[BOOK]*"
  }
}}