Skip to content

Latest commit

 

History

History
32 lines (19 loc) · 3.17 KB

searching.md

File metadata and controls

32 lines (19 loc) · 3.17 KB

Searching

  1. We currently support the Lucene search syntax and not the experimental KQL syntax. You should not turn this option on via the UI or set it for all users like indicated here under the "search:queryLanguage" option.

  2. Text search in elasticsearch is implemented differently for the different string types, keyword and text, as explained here. With Azure Data Explorer, there is a single string type, and text searches are applied in a way that correlates to searching on an elasticsearch text data type. Some use cases which show the difference in search behavior include:

    • Search which was applied using a value expected to be found on an elasticseach keyword data type, will yield more results on Azure Data Explorer.

    • A case sensitive search which was applied using a value expected to be found on an elasticseach keyword data type, will yield non case sensitive results on Azure Data Explorer.

    • When searching using wildcards ('*' for multi characters and '?' for a single character), K2 will consider any character as valid, including space. This is in comparison to Elasticsearch which (unless configured otherwise) does not include space when searching for keywords and do allow spaces when searching for text.

  3. Multiple words in a search term are split based on operators and analyzed individually, combined with an OR operator in both elsticsearch and Azure Data Explorer.

  4. When enclosing strings with quotation marks, the exact quoted term is being searched in both elsticsearch and Azure Data Explorer.

  5. Partial support for Azure Data Explorer's dynamic column - those columns represent objects with an unknown schema. Those columns are visible in the item view as "flat" properties. However, their 1-click search icons (the +/-) are disabled. Additionally, those columns won't appear in the add filter option.

    Issue

    Options for better interaction with dynamic columns: * Use Lucene expressions in the search box with a fully qualified property path. For example: propertyA.propertyB:myValue * If possible, consider promoting some/all properties in a dynamic column to regular-discreet columns in Azure Data Explorer. By doing so, you'll also get a potential performance boost when searching.

  6. Highlighting the results works the same when using either Azure Data Explorer or elasticsearch, apart from the following known issues:

    • Searches done on numeric fields in Azure Data Explorer are highlighted, while in elasticsearch they are not. TODO: update when fixing issue

    • When searching for value within a specific field, Azure Data Explorer will highlight text found in any field, not just the requested one. TODO: update when fixing issue.