Ok, it's not a Kibana issue, but my Elasticsearch configuration issue. I could fix it in the elasticsearch.yml file, but I believe it's much safer to fix it in my less-likely-to-be-altered start-up script wrapper.
So now when I start ES via the bin/elasticsearch script, but only on behalf of the ELK stack, I add the following option to the command line: -Des.index.query.default_field=message And now, my default field for a Kibana (Lucene) query is message and not _all. And _all is well (pun intended!). Brian -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/84b63fe8-523b-43f4-8522-6b8d392ff63c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
