elasticsearch / kibana 4: field exists but is not equal to a value

Question 1

elasticsearch / kibana 4: field exists but is not equal to a value

elasticsearch kibana-4

Peter M · Sep 9, 2015 · Viewed 53.1k times · Source

Answer

Answer

The query you're looking for is this one:

_exists_:status_code AND NOT status_code:200

This link shows you all what's supported by query string queries.

Question 2

elasticsearch version 1.4.5

kibana 4.1.1

logstash 1.5.2-1

How do I structure a search in the discover tab of kibana 4 that only returns results if a field exists but is not equal to a specific value?

I have some apache log data in logstash and I want to return all entries that have status_code defined but not equal to 200. So if the possible values are {undefined, 200, 403, 404, 500, etc} I would like to see all variants of 4xx and 5xx errors but not messages where the field is not defined and not where it is set to 200.

I have tried the following:

+status_code: (*) -status_code: (200)

((status_code: (*) AND NOT status_code: (200))

I also see references to elasticsearch curl queries but I'm not sure how to turn them into something that I can use in the kibana search bar. Here is an example:

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": {
            "exists": {
              "field": "status_code"
            }
          },
          "must_not": {
            "term": {
              "status_code": '200'
            }
          }
        }
      }
    }
  }
}

Thanks!

elasticsearch / kibana 4: field exists but is not equal to a value

Answer

Related questions