Best Optimization for wildcard queries

Sheharyar_Khalid · January 9, 2023, 12:41pm

Hello,
I am working with elasticsearch on audit log data. I wanted to know what are the best optimizations and tokenizer/analyzer/term usages for optimizing elastic for wildcard queries. I have looked at n-grams and they looked interesting but I could find no proper guide/documentation for optimizing elastic to my use case.

My use case
We are trying to search for program path string in log data. For example we have data that has strings like C://user/home/folder1/folder2/folder3/malware and we wish to run a wildcard *malware and we hope to match the document with the above string.

What would be the best path (if any) to go about such use case. What tokenizer should we use? I was looking at wildcard term features. Is this any different from keyword term?

Any help/guidance will be appreciated.

Christian_Dahlqvist · January 9, 2023, 12:43pm

Have you looked at the wildcard field type?

Sheharyar_Khalid · January 9, 2023, 1:06pm

@Christian_Dahlqvist
I will look into it. Should I pair it with n-gram tokenizer or any other tokenizer that is optimal for wildcard queries?

Christian_Dahlqvist · January 9, 2023, 1:10pm

I believe it uses ngrams behind the scenes, so you do not need to pair it with anything as far as I know.

Sheharyar_Khalid · January 9, 2023, 2:30pm

Thank you for the help. Appreciate it!

system · February 6, 2023, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.