Edit Query DSL not considering the "is not" operator, and wildcards not working

[timroes]

Currently the filter Query DSL, does not match when you use the is not operator. When you use it and click on Edit Query DSL link, it shows a simple match query, without the not being applied, however it works as expected since the not is applied behind the scenes, a query like this is passed:

"must_not": [{
  "match_phrase": {
    "remoteAddress": {
      "query": "your_query"
    }
  }
}]

This is quite confusing for users since they don´t see the is not being applied in the written query (Edit Query DSL link).

Also, the problem with the above query is that it does not take into account wildcards. In order to do that you should edit and write your Query properly for every filter. Something like this:

{
  "query": {
    "bool": {
      "must_not": {
        "wildcard": {
          "remoteAddress": {
            "value": "*example.com"
          }
        }
      }
    }
  }
}

[elasticmachine]

Pinging @elastic/kibana-app (Team:KibanaApp)

[timroes]

cc @Bargs

[Bargs]

Wildcards are not supposed to work at the moment, we have an open issue for that #13943. Rather than support wildcards in is and is not I think we should add a new contains operator. That's the approach this community PR was going with, but it has lost traction (my fault).

This is quite confusing for users since they don´t see the is not being applied in the written query

Has this come up for you a lot in discussions with users? I've never heard of anyone complaining about it before. I think it's better to think of negation as a flag on the filter rather than a part of the filter's query. If we were to include the must_not on negated filters, then it would only make sense to include the filter on non-negated filters. Then that would lead to users trying to change the filter to a must for scoring. And we have a lot of logic that relies on the query having a particular shape in order to determine what kind of filter is being dealt with, so all of that would need to be updated to account for the possible top level must_not. It's a whole can of worms 🐛🐛🐛 :)

[mikeh688]

Hi,
I raised this issue with Elastic support (we're an Elastic OEM partner). One of our customers experienced the issue and the scenario is one that will occur frequently (find all records that do not contain string xxx). 'Contains' would work as an alternative. From a userability perspective, the contains filter should also be available in the 'add a filter' option list (as well as does not contain).

I think the issue is that searching for wildcards and NOT doesn’t work. That took us down the path of having to use the JSON queries.

The ticket reads as a feature request rather than a very basic bug that needs fixing; a tool that’s positioned as being powerful at searching and processing data is pretty compromised if it cant do basic wildcard searches and include NOTs

[elasticmachine]

Pinging @elastic/kibana-app-arch (Team:AppArch)

[keitalbame]

I noticed the NOT operator is not reflected in the DSL when creating the filter from the UI on Kibana 7.6.2.
Did not tested on a recent version.

[vadimkibana]

Thank you for contributing to this issue, however, we are closing this issue due to inactivity as part of a backlog grooming effort. If you believe this feature/bug should still be considered, please reopen with a comment.

[lukasolson]

Reopening this one, since it is especially relevant to the complex and/or filtering effort.

[elasticmachine]

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)