How to do case-insensitive search for a field value?

In Kibana's Discover page search, if I just type "server1" then it does a case-insensitive search.
But if I do "beat.hostname: server1" then that's a case-sensitive search. How do I do I make that case-insensitive?

I'm hoping this is a really silly/easy question but I just haven't found the answer.

Thanks

Hmm case-insensitivity works for me with the data loaded from the makelogs script against the host field.

that field is mapped as text. Can you check the mappings for the hostname field on that index? Also, what version of Kibana/ES are you running? I checked this against the latest.

Interesting...for me, it's case-insensitive with logstash index also. But for any of the indices associated with beats (winlogbeat, filebeat, metricbeat) then the same query is case-sensitive.

1 Like

mapping you could share the mapping for one of those indices? https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-get-mapping.html

The mapping is longer than the max 7000 characters for a reply so I'll break it up.
{
"winlogbeat-6.1.2-2018.02.12": {
"mappings": {
"doc": {
"_meta": {
"version": "6.1.2"
},
"dynamic_templates": [
{
"fields": {
"path_match": "fields.",
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
},
{
"docker.container.labels": {
"path_match": "docker.container.labels.
",
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
},
{
"event_data": {
"path_match": "event_data.",
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
},
{
"user_data": {
"path_match": "user_data.
",
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
},
{
"strings_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"activity_id": {
"type": "keyword",
"ignore_above": 1024
},
"beat": {
"properties": {
"hostname": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"timezone": {
"type": "keyword",
"ignore_above": 1024
},
"version": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"computer_name": {
"type": "keyword",
"ignore_above": 1024
},
"docker": {
"properties": {
"container": {
"properties": {
"id": {
"type": "keyword",
"ignore_above": 1024
},
"image": {
"type": "keyword",
"ignore_above": 1024
},
"labels": {
"type": "object"
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"error": {
"properties": {
"code": {
"type": "long"
},
"message": {
"type": "text",
"norms": false
},
"type": {
"type": "keyword",
"ignore_above": 1024
}
}
},

Part 2 of 3:
"event_data": {
"properties": {
"AdapterName": {
"type": "keyword"
},
"AdapterSuffixName": {
"type": "keyword"
},
"Address": {
"type": "keyword"
},
"AddressLength": {
"type": "keyword"
},
"AuditPolicyChanges": {
"type": "keyword"
},
"Binary": {
"type": "keyword"
},
"CategoryId": {
"type": "keyword"
},
"ClientName": {
"type": "keyword"
},
"Context": {
"type": "keyword"
},
"DirtyPages": {
"type": "keyword"
},
"DnsServerList": {
"type": "keyword"
},
"ErrorCode": {
"type": "keyword"
},
"HiveName": {
"type": "keyword"
},
"HiveNameLength": {
"type": "keyword"
},
"HostName": {
"type": "keyword"
},
"IP_Name": {
"type": "keyword"
},
"Ipaddress": {
"type": "keyword"
},
"KeysUpdated": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"QueryName": {
"type": "keyword"
},
"ReservationName": {
"type": "keyword"
},
"Sent UpdateServer": {
"type": "keyword"
},
"ServerURL": {
"type": "keyword"
},
"SubcategoryGuid": {
"type": "keyword"
},
"SubcategoryId": {
"type": "keyword"
},
"SubjectDomainName": {
"type": "keyword"
},
"SubjectLogonId": {
"type": "keyword"
},
"SubjectUserName": {
"type": "keyword"
},
"SubjectUserSid": {
"type": "keyword"
},
"TSId": {
"type": "keyword"
},
"Type": {
"type": "keyword"
},
"UserSid": {
"type": "keyword"
},
"param1": {
"type": "keyword"
},
"param10": {
"type": "keyword"
},
"param11": {
"type": "keyword"
},
"param12": {
"type": "keyword"
},
"param2": {
"type": "keyword"
},
"param3": {
"type": "keyword"
},
"param4": {
"type": "keyword"
},
"param5": {
"type": "keyword"
},
"param6": {
"type": "keyword"
},
"param7": {
"type": "keyword"
},
"param8": {
"type": "keyword"
},
"param9": {
"type": "keyword"
}
}
},
"event_id": {
"type": "long"
},
"fields": {
"type": "object"
},
"keywords": {
"type": "keyword",
"ignore_above": 1024
},
"kubernetes": {
"properties": {
"annotations": {
"type": "object"
},
"container": {
"properties": {
"image": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"labels": {
"type": "object"
},
"namespace": {
"type": "keyword",
"ignore_above": 1024
},
"pod": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"log_name": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
},
"message_error": {
"type": "keyword",
"ignore_above": 1024
},
"meta": {
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"type": "keyword",
"ignore_above": 1024
},
"instance_id": {
"type": "keyword",
"ignore_above": 1024
},
"instance_name": {
"type": "keyword",
"ignore_above": 1024
},
"machine_type": {
"type": "keyword",
"ignore_above": 1024
},
"project_id": {
"type": "keyword",
"ignore_above": 1024
},
"provider": {
"type": "keyword",
"ignore_above": 1024
},
"region": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"opcode": {
"type": "keyword",
"ignore_above": 1024
},
"process_id": {
"type": "long"
},
"provider_guid": {
"type": "keyword",
"ignore_above": 1024
},
"record_number": {
"type": "keyword",
"ignore_above": 1024
},
"related_activity_id": {
"type": "keyword",
"ignore_above": 1024
},
"source_name": {
"type": "keyword",
"ignore_above": 1024
},
"tags": {
"type": "keyword",
"ignore_above": 1024
},
"task": {
"type": "keyword",
"ignore_above": 1024
},
"thread_id": {
"type": "long"
},
"type": {
"type": "keyword",
"ignore_above": 1024
},
"user": {
"properties": {
"domain": {
"type": "keyword",
"ignore_above": 1024
},
"identifier": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"type": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"user_data": {
"type": "object"
},
"version": {
"type": "long"
},
"xml": {
"type": "text",
"norms": false
}
}
},

Part 3 of 3:

"default": {
"_meta": {
"version": "5.6.2"
},
"dynamic_templates": [
{
"strings_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"activity_id": {
"type": "keyword",
"ignore_above": 1024
},
"beat": {
"properties": {
"hostname": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"version": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"computer_name": {
"type": "keyword",
"ignore_above": 1024
},
"event_id": {
"type": "long"
},
"keywords": {
"type": "keyword",
"ignore_above": 1024
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"log_name": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
},
"message_error": {
"type": "keyword",
"ignore_above": 1024
},
"meta": {
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"type": "keyword",
"ignore_above": 1024
},
"instance_id": {
"type": "keyword",
"ignore_above": 1024
},
"machine_type": {
"type": "keyword",
"ignore_above": 1024
},
"project_id": {
"type": "keyword",
"ignore_above": 1024
},
"provider": {
"type": "keyword",
"ignore_above": 1024
},
"region": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"opcode": {
"type": "keyword",
"ignore_above": 1024
},
"process_id": {
"type": "long"
},
"provider_guid": {
"type": "keyword",
"ignore_above": 1024
},
"record_number": {
"type": "keyword",
"ignore_above": 1024
},
"related_activity_id": {
"type": "keyword",
"ignore_above": 1024
},
"source_name": {
"type": "keyword",
"ignore_above": 1024
},
"tags": {
"type": "keyword",
"ignore_above": 1024
},
"task": {
"type": "keyword",
"ignore_above": 1024
},
"thread_id": {
"type": "long"
},
"type": {
"type": "keyword",
"ignore_above": 1024
},
"user": {
"properties": {
"domain": {
"type": "keyword",
"ignore_above": 1024
},
"identifier": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"type": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"version": {
"type": "long"
},
"xml": {
"type": "text",
"norms": false
}
}
}
}
}
}

The hostname field is mapped as type keyword. makeLogs maps the host field as text, which does support case insensitive searching by default. So you can remap the field as type text and reindex, or you can try the suggestion in the linked blog article in this discussion:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.