Kibana search not returning expected results when wildcard is used in search

Elastic Stack Kibana
1

I am having a very odd issue and hoping you have seen something like this previously.

We have a keyword field application.api.responseText

Mapping for that field is:

"application": {

          "properties": {

            "api": {

              "properties": {

                "responseText": {

                  "ignore_above": 8190,

                  "type": "keyword"

                },

            }

          }

        }

The data going into this field is always a string, and varies from message to message.

Sample data that would be in that field (I have highlighted the specific string we are trying to isolate):

Doc 1:

{"errors":[{"code":"SERVICE_ERROR","messages":["Catalyst Error Code: OTTOERR-100","java.lang.RuntimeException: Catalyst Error Code: OTTOERR-100","Catalyst Error Code: OTTOERR-100"],"transactionId":"617081","dateTime":{"offset":{"totalSeconds":0,"id":"Z","rules":{"transitions":[],"transitionRules":[],"fixedOffset":true}},"year":2020,"month":"JANUARY","dayOfMonth":29,"dayOfWeek":"WEDNESDAY","dayOfYear":29,"hour":19,"minute":10,"second":27,"nano":449000000,"monthValue":1}}],"statusCode":200,"transactionId":"1599599617081","eligible":false,"blacklistedFromFreePreview":null,"blacklistedFromFreeTrial":null,"householdFoundInMarketingFile":null,"targetedOfferFoundInOffersCatalog":null,"requestedFreePreviewDisabled":null,"requestedOfferMatchedTargeted":null,"requestedOfferIsReturned":null,"ottoErrorCode":"OTTOERR-100","ottoErrorMessage":"This account is not eligible for any offers.","offers":null,"netWorks":[]}

Doc2:

{"errors":[],"statusCode":200,"transactionId":"158046551","eligible":true,"blacklistedFromFreePreview":false,"blacklistedFromFreeTrial":false,"householdFoundInMarketingFile":true,"targetedOfferFoundInOffersCatalog":false,"requestedFreePreviewDisabled":null,"requestedOfferMatchedTargeted":null,"requestedOfferIsReturned":null,"ottoErrorCode":null,"ottoErrorMessage":null,"offers":[{"baseOffer":{"name":"TV Stream","promotionDays":7,"promotionType":"Free Trial","description":" Free Trial Offer","category":"base","id":"147872"},"premiums":[{"name":"Cinemax with On Demand","price":"7.5","description":"Cinemax with On Demand","ncsNetworkIds":["53"],"category":"Premium","id":"433971"},{"name":"Showtime with On Demand","price":"7.5","description":"Showtime with On Demand","ncsNetworkIds":["312"],"category":"Premium","id":"419321"},{"name":"Premium Pack","price":"15.0","description":"Premium Bundle","ncsNetworkIds":["330","31 ... (truncated by me for this post)

Doc3:

“service error”

Doc4:

“some string with other words in it”

I run a query in Kibana… such as:

application.api.responseText: *eligible\”\:true*

I get no results for some days data, other days I get results – Yes I have verified that the field contains the results I am expecting

I run another query in Kibana… such as:

Application.api.responseText: *

I get no results that include the “eligible”:true string in the message for some days, yet I get results for other days – Yes I have verified some messages contain this string

I run another query without any wildcards in Kibana just a blank query:

Now I get results where that field contains “eligible”:true

From what I can tell… Some days will return results, other days will not return results (even though I have verified the results are there) but only when a wildcard is used to search on that field.

2

Are you using Lucene or KQL? And do you have the Allow leading wildcards in query option enabled in Kibana's Advanced Settings?

3

Yes I double checked and Allow leading wildcards in query is enabled in Kibana
image

Also analyze_wildcard is set to true as well in Kibana
image

Here is a screenshot showing the values exist in the field I am looking for...

image
image1416×663 147 KB

Here is a screenshot showing searching for false working...

image
image1410×537 106 KB

Here is a screenshot showing searching for true not working...

image
image1414×391 59.3 KB

Tried using regex as well, still not working...

image
image1412×383 59.3 KB

Wrapped in parenthesis, still not working...

image
image1416×354 59.8 KB

Even with just * "eligible":true does not appear in the search results...

image
image1415×973 244 KB

Using ?? still causes no results...

image
image1417×341 55 KB

Including the "," works on false...

image
image1418×537 106 KB

Still not working when searching for true...

image
image1415×399 64.4 KB

This is very frustrating as I feel almost all of these should be working...
I have even tried copy&paste of the exact string to ensure there is not any issue with the quotes.
I have been completely unable find a solution for this problem.

4

Hmmm yeah that's pretty strange. A few questions:

  • What version of Kibana are you using?
  • Can you click the Options button in the query bar and tell me if you have KQL enabled? Depending on the version you're using it might just be called "Enhanced query features" or something like that.
  • Do you have a keyword version of this field? If so you may try querying on that. My best guess is that there's something odd happening with the parsing or analysis of the query, and using the keyword version may avoid that complication. For example: application.api.responseText.keyword: *eligible\”\:true*

To give any further advice I'll have to try to reproduce the issue myself. Unfortunately I'm out of the office until next Friday, so I will have to take a look after I get back. This seems like a bug to me, so also feel free to file a ticket on our Github repo.

5

Using Kibana 6.7.2 and ES 6.7.2
Yes Enhanced Query Features is enabled (have also tried disabled)
I only have a keyword version of this field per the mapping from my first post

6

Any ideas on this?

7

Could it be your ignore_above? Perhaps the documents with eligible:true just happen to be a bit longer and are hitting that limit? The fact that those documents don't show up in the application.api.responseText:* query suggests to me that the field is not indexed at all for those documents, because that query will get turned into a simple exists query under the hood.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.