Lower/Upper case search

mathurin68 · December 27, 2017, 2:21pm

In a kibana dashboard I need to query a field for upper or lowercase. The field is a scriptblock from powershell so it has to be a string(text), I need to be able to search for different words inside it.

After reading a ton of stuff, I guess I have a couple options -

Normalize the field, but all the examples use keywords so I m not sure if this is possible.
https://www.elastic.co/guide/en/elasticsearch/reference/current/normalizer.html
Add another field, copy the data and then use the lowercase processor
https://www.elastic.co/guide/en/elasticsearch/reference/master/lowercase-processor.html

I want to be able to do a search like this -
"minimum_should_match": 1,
"should": [
{
"wildcard": {
"powershell.scriptblock.text": "ExecutionPolicy*"
}

Thanks!

jbudz · December 27, 2017, 5:53pm

Are you saying you want searches to be case sensitive? You can do wildcard queries in kibana if you want the not analyzed part of it,
{"wildcard":{"powershell.scriptblock.text":"ExecutionPolicy*"}}

mathurin68 · December 27, 2017, 5:58pm

Hey Jon!

Case insensitive, actually -

Execution Policy or execution policy.

Currently, when I search with a wildcard it won't find it without case match.

This -
{"wildcard":{"powershell.scriptblock.text":"*Execution*Policy*"}}
only finds this
Get Execution-Policy

not this ...

get execution-policy

but I need it to find both.

jbudz · December 27, 2017, 9:00pm

Does using the default query string query work? It should run both the query and documents through the same analyzer, and will lowercase it by default

mathurin68 · December 27, 2017, 11:59pm

I remember reading that but it doesn't seem to work. (modified to look in multiple fields)

Alright, if I do the search directly from the dashboards query it seems to work -

if I do a DSL query with multiple fields case seems to matter
this only gets me lowercase not the upper

{
  "query": {
    "bool": {
      "should": [
        { "wildcard": { "CommandLine": "*execution*" }},
        { "wildcard": { "powershell.*": "*execution*" }}
      ]
    }
  }
}

I appreciate your patience!

mathurin68 · December 29, 2017, 10:52pm

Alright got it to work just by mutating the field to lowercase -
mutate {
lowercase => "[powershell][scriptblock][text]"
}

... before production might be better to copy the data to a new field and lowercase that field just so we have the original.

I appreciate the help @jbudz! You guys always seem to point me in the right direction.

system · January 26, 2018, 10:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.