Lower/Upper case search

mathurin68 · December 27, 2017, 2:21pm

In a kibana dashboard I need to query a field for upper or lowercase. The field is a scriptblock from powershell so it has to be a string(text), I need to be able to search for different words inside it.

After reading a ton of stuff, I guess I have a couple options -

Normalize the field, but all the examples use keywords so I m not sure if this is possible.
https://www.elastic.co/guide/en/elasticsearch/reference/current/normalizer.html
Add another field, copy the data and then use the lowercase processor
https://www.elastic.co/guide/en/elasticsearch/reference/master/lowercase-processor.html

I want to be able to do a search like this -
"minimum_should_match": 1,
"should": [
{
"wildcard": {
"powershell.scriptblock.text": "ExecutionPolicy*"
}

Thanks!

jbudz · December 27, 2017, 5:53pm

Are you saying you want searches to be case sensitive? You can do wildcard queries in kibana if you want the not analyzed part of it,
{"wildcard":{"powershell.scriptblock.text":"ExecutionPolicy*"}}

mathurin68 · December 27, 2017, 5:58pm

Hey Jon!

Case insensitive, actually -

Execution Policy or execution policy.

Currently, when I search with a wildcard it won't find it without case match.

This -
{"wildcard":{"powershell.scriptblock.text":"*Execution*Policy*"}}
only finds this
Get Execution-Policy

not this ...

get execution-policy

but I need it to find both.

jbudz · December 27, 2017, 9:00pm

Does using the default query string query work? It should run both the query and documents through the same analyzer, and will lowercase it by default

mathurin68 · December 27, 2017, 11:59pm

I remember reading that but it doesn't seem to work. (modified to look in multiple fields)

Alright, if I do the search directly from the dashboards query it seems to work -

if I do a DSL query with multiple fields case seems to matter
this only gets me lowercase not the upper

{
  "query": {
    "bool": {
      "should": [
        { "wildcard": { "CommandLine": "*execution*" }},
        { "wildcard": { "powershell.*": "*execution*" }}
      ]
    }
  }
}

I appreciate your patience!

mathurin68 · December 29, 2017, 10:52pm

Alright got it to work just by mutating the field to lowercase -
mutate {
lowercase => "[powershell][scriptblock][text]"
}

... before production might be better to copy the data to a new field and lowercase that field just so we have the original.

I appreciate the help @jbudz! You guys always seem to point me in the right direction.

system · January 26, 2018, 10:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter the uppercase fields in Kibana Kibana	11	9306	July 6, 2017
Not able to search Upper case values Elasticsearch	8	5299	July 6, 2017
[Elastic search] wildcard (ignore case) query is not working Elasticsearch	3	390	May 10, 2023
How to set a lowercase analyzer Elasticsearch	9	766	January 30, 2017
Case Insensitive search in kibana dahboard Kibana	2	449	November 7, 2022

Lower/Upper case search

Related topics