I have a document that has the variable name "name". One document has name:"Subject.doc" if I search using name: Subject* I do not get the document returned but if I search name:"ubjectdoc I get the document returned.
Also if I search without specifying the "name" field using "Subject*" the document is returned.
I believe what's happening here is that Kibana is performing a query string query, and, with a wildcard:
Wildcarded terms are not analyzed by default — they are lowercased (lowercase_expanded_terms defaults to true) but no further analysis is done, mainly because it is impossible to accurately analyze a word that is missing some of its letters.
Hence, when you provide the search string Subject*, the documents are scanned for "name" field values that begin with "subject", followed by anything, and that doesn't actually match the sample documents. However, when you provide the search string *ubject*doc, the scan is for "name" field values that have the exact substring "ubject" preceded by anything (which could be "s", "S", or anything else), followed by anything, and ending with the substring "doc". This evaluation does match the "Subject.doc" string in your sample doc.
As noted in the documentation, you can set lowercase_expanded_terms to false, and that should make your first search match.
I changed "query:queryString:options" in Kibana settings to include "lowercase_expanded_terms" set to True and it works as I initially thought it should and name: Subject* returns the document. Now "query:queryString:options" is "{ "analyze_wildcard": true, "lowercase_expanded_terms": false }"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.