Those wildcard searches... or is it me?

Elastic Stack Elasticsearch
1

Hi, guys my third time setting up all the good things:
Elasticsearch, Logstash, Kibana... Logs coming from Filebeat.
Kibana is showing me all the relevant Logs. I also fixed the timestamp situation. ..
Everything looks awesome. I was proud!
But now, where Boss is testing it: all RegEx related Search Options are not working. :confused:
e.g.:
request: "/somedata/somewhere/here.html" ..
request: "/somedata/wheresome/here.html" ..
..

I want to search in kibana something like this: "/somedata/*/here.html", which should replay both, right?
..but it shows me nothing. yes, i have escaped every symbol proper etc.
Is somewhere a nice guide on how to make the classic wildcard-search ( "*", "?", ..) functional?
In other words:
How to apply the right analyzer to make wildcard-searches within the request fields working?

Thanks Guys. And Sorry for mistakes. Iam new here. :see_no_evil:

2

Thanks for this amazing input, guys. Thanks.

Could someone explain to me the following please:

"/somedata/*/here.html" gives zero feedback,
"\/somedata\/*\/here\.html" gives zero feedback,
/somedata/*/here.html gives some feedback but not the right one,
request: ""/somedata/*/here.html"" zero feedback,
request: ""\/somedata\/*\/here\.html"" zero feedback,
request.keyword: "/somedata/*/here.html" zero feedback,

but
{"wildcard": {"request.keyword": "*\\/somedata\\/*\\/here\\.html"}}
works as it should be. thats weird.

Is it possible to use the term "{"wildcard": {"request.keyword": " as a default for the kibana searchbar?

Thanks in advance.

3

Hi,

You can change the default field at the Discover like:

KIbana->Management->Advanced Settings

and change the default_field at query:queryString:options

Now about the wildcards. If you want to search you should use like this:

request.keyword:\/somedata\/*\/here\.html

Don't use the quotes because this will be interpreter as a exact match and won't execute the wildcard.

You can also use regular expressions in Kibana like this:

request.keyword:/\/somedata\/.*\/here\.html/

4

Hi. Thanks for your reply.
sadly: your given Options are giving me ZERO hits. :confused:
It only works if i post it like this in kibana:
{"wildcard": {"request.keyword": "*\\/somedata\\/*\\/here\\.html"}}

5

What is the magic behind your recommendations?
Even the official documentation tells me, that RegEx-stuff could be realized through "/" at the beginning and end. But no luck for me :confused:
For futher error analysis: Should I post my mapping?
Thanks in Advance.

6

Hi, I have notice that it was wrong the regular expression example that I have sent to you.

The documentaiton about the what is accepted in Kibana is in here (change for your version of Kibana):
https://www.elastic.co/guide/en/kibana/current/lucene-query.html

Here the link for the Query String syntax:
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax

You can try the follwing steps to see how it work the wild card and the regular expression.

Add this index

POST test/_doc/_bulk
{"index" : {"_id": "1"}}
{ "path": "/something/to/search/search.html" }
{"index" : {"_id": "2"}}
{ "path": "/nothing/to/search/new.html" }
{"index" : {"_id": "3"}}
{ "path": "/something/to/view/other.html" }
{"index" : {"_id": "4"}}
{ "path": "/not/to/search/search.html" }

Add index pattern in the Kibana->Managemnt->Index Patterns

Now try in the Discover the following (change to the right index pattern)

Regular Expression
path.keyword:/\/some.*/ - 2 hits
path.keyword:/\/some.*\/search.*/ - 1 hit

Wild Card
path.keyword:\/some* - 2 hits
path.keyword:\/some*\/search* - 1 hit

Hope you could understand better how it works.

If you still can not make the searches send me the mapping and examples of documentsand, and I help you to make the search in the Discover. :slight_smile:

7

Hi and thanks for anwsering again,
thank you very much.
And yes, your example is delivering the correct hits.

On my own index it is not working. :confused:
I have sent you my mapping as a private message, would be awesome if you could tell me whats wrong with it. THANKS.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.