Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Wildcard search doesn't work in Kibana

Tags:

elasticsearch

kibana

I have a field "Alert" that contains a long string containing spaces, numbers, and special characters. I have this field set to "not_analyzed". Using the Wildcard query I can issue a query as follows and get the results I want.

POST /test-index-snort2/type-snort/_search
{
  "query": {
    "wildcard": {
      "Alert": {
        "value": "ET CNC*"
      }
    }
  }
}

I'd like to use Kibana to implement a similar search. Doing so however returns no results. My query in Kibana appears as follows:

Alert:"ET CNC*"

Which in turn creates a query_string query like so:

"query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "Alert:\"ET CNC*\""
              }
            }
          ]
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "match_all": {}
            }
          ]
        }
      }
    }

Is there a way to get the same results in Kibana via the query_string query that I do with using the wildcard query?

Here is the mapping for the Alert field and a sample of the entries:

"Alert": {
        "type": "string",
        "index": "not_analyzed"
},

"Alert": "ET CNC Palevo Tracker Reported CnC Server TCP group 9 ",
"Alert": "ET CNC Palevo Tracker Reported CnC Server TCP group 10 ",
"Alert": "ET CNC Zeus Tracker Reported CnC Server TCP group 3 ",
like image 401
Sgt B Avatar asked Mar 28 '14 16:03

Sgt B

1 Answers

Thanks to polyfractal over in #elasticsearch, I have an answer. By default query_string will lowercase wildcard input. This can be disabled through the lowercase_expanded_terms=false setting. However, there's no way to set this in Kibana.

polyfractal recommended that I create an analyzer to lowercase this content. This will allow me utilize the query_string with wildcards with the limitation that the field value will appear in lowercase in facet results, but the _source will retain the original formatting. For me, this works well and is the solution I'm moving forward with.

Except from IRC:

<polyfractal> id set up the analyzer like this:  tokenizer:keyword, filters: [lowercase]
<polyfractal> that'll basically give you a lowercased `not_analyzed` field.  may also want to disable norms, since you prolly dont need them either
like image 194
Sgt B Avatar answered Oct 10 '22 04:10

Sgt B
Sign in to Comment

Related questions

Elasticsearch Spring boot integration test
elasticsearch: extract number from a field
Best practice for handling many-to-many relationships in Elasticsearch?
Is there a way to make elasticsearch case-insensitive without altering the existing documents?
A simple AND query with Elasticsearch
How to create value over time line chart in Kibana 4?
How to find out the index creation date in elasticsearch
query for one field doesn't equal another field in elasticsearch
Default index analyzer in elasticsearch
Disable dynamic mapping creation for only specific indexes on elasticsearch?
Types cannot be provided in put mapping requests, unless the include_type_name parameter is set to true
How to suggest (autocomplete) next word in elastic search?
elasticsearch fuzzy matching max_expansions & min_similarity
Elastic search full text vs mysql full text?
Elasticsearch deeper level Parent-child relationship (grandchild)
elasticsearch exclude results with value
Does it matter if the filter is inside or outside a filtered query?
Elasticsearch cluster 'master_not_discovered_exception'
How do you delete all indexes in elastic search using node.js?
How to match on prefix in Elasticsearch

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!