Can't query asterisk

lwintergerst · February 1, 2016, 11:28am

Hi,
EDIT: The post displayed was not the same I wrote My backslashes were not displayed...

I am unable to search for the asterisk '*' character.
I got the following events indexed(3 with *, 1 without):

"http_request": "/this/is/a/request/?firstName=John&lastName=Doe&something=false"
"http_request": "/this/is/a/request/?firstName=John&lastName=*&something=false"
"http_request": "/this/is/a/request/?firstName=*&lastName=Doe&something=false"
"http_request": "/this/is/a/request/?firstName=*&lastName=*&something=false"

They have the following mapping(I also tried with "analyzed", but it does not work either):

"http_request   ": {
"type": "string",
"index": "not_analyzed"
},

I tried the following. Everything gives me no results at all.
http_request:\*
http_request:"\"
http_request:"\**"
http_request://
http_request:/\/

and possibly some others that I can't think of right now. But nothing seems to work...

I can reindex the data with a different mapping if you want.

Luca

stormpython · February 1, 2016, 7:36pm

lwintergerst,

I am not sure why the * wildcard search is not working for you.

Could it be that the "http_request " field has empty spaces at the end in the mapping? If you are entering these:

"http_request": "/this/is/a/request/?firstName=John&lastName=Doe&something=false"
"http_request": "/this/is/a/request/?firstName=John&lastName=*&something=false"
"http_request": "/this/is/a/request/?firstName=*&lastName=Doe&something=false"
"http_request": "/this/is/a/request/?firstName=*&lastName=*&something=false"

in the kibana search bar, try removing the " (quotes) from http_request and from the search string, eg.

http_request: /this/is/a/request/?firstName=John&lastName=*&something=false

Let me know if any of those work.

lwintergerst · February 1, 2016, 7:50pm

I just noticed that I had to escape my back slashes in my post above. Would you mind taking a look again? Thanks!

The spaces in the mapping are probably a copy/paste error, as there was no other mapping for the field in the mapping.
I can check tomorrow just to be sure

jaminvp · February 5, 2016, 2:01pm

In case you haven't found a solution yet, in Kibana 4.1.2 I had an issue with the query where my search string was turned into lowercase before Kibana queries Elasticsearch.

I fixed it by changing the query:queryString options (Settings -> Advanced) to:
{ "analyze_wildcard": true, "lowercase_expanded_terms": false }

Your problem might be unrelated though!