Those wildcard searches... or is it me?

Hi, guys my third time setting up all the good things:
Elasticsearch, Logstash, Kibana... Logs coming from Filebeat.
Kibana is showing me all the relevant Logs. I also fixed the timestamp situation. ..
Everything looks awesome. I was proud!
But now, where Boss is testing it: all RegEx related Search Options are not working. :confused:
request: "/somedata/somewhere/here.html" ..
request: "/somedata/wheresome/here.html" ..

I want to search in kibana something like this: "/somedata/*/here.html", which should replay both, right?
..but it shows me nothing. yes, i have escaped every symbol proper etc.
Is somewhere a nice guide on how to make the classic wildcard-search ( "*", "?", ..) functional?
In other words:
How to apply the right analyzer to make wildcard-searches within the request fields working?

Thanks Guys. And Sorry for mistakes. Iam new here. :see_no_evil:

Thanks for this amazing input, guys. Thanks.

Could someone explain to me the following please:

"/somedata/*/here.html" gives zero feedback,
"\/somedata\/*\/here\.html" gives zero feedback,
/somedata/*/here.html gives some feedback but not the right one,
request: ""/somedata/*/here.html"" zero feedback,
request: ""\/somedata\/*\/here\.html"" zero feedback,
request.keyword: "/somedata/*/here.html" zero feedback,

{"wildcard": {"request.keyword": "*\\/somedata\\/*\\/here\\.html"}}
works as it should be. thats weird.

Is it possible to use the term "{"wildcard": {"request.keyword": " as a default for the kibana searchbar?

Thanks in advance.


You can change the default field at the Discover like:

KIbana->Management->Advanced Settings

and change the default_field at query:queryString:options

Now about the wildcards. If you want to search you should use like this:


Don't use the quotes because this will be interpreter as a exact match and won't execute the wildcard.

You can also use regular expressions in Kibana like this:


Hi. Thanks for your reply.
sadly: your given Options are giving me ZERO hits. :confused:
It only works if i post it like this in kibana:
{"wildcard": {"request.keyword": "*\\/somedata\\/*\\/here\\.html"}}

What is the magic behind your recommendations?
Even the official documentation tells me, that RegEx-stuff could be realized through "/" at the beginning and end. But no luck for me :confused:
For futher error analysis: Should I post my mapping?
Thanks in Advance.

Hi, I have notice that it was wrong the regular expression example that I have sent to you.

The documentaiton about the what is accepted in Kibana is in here (change for your version of Kibana):

Here the link for the Query String syntax:

You can try the follwing steps to see how it work the wild card and the regular expression.

Add this index

POST test/_doc/_bulk
{"index" : {"_id": "1"}}
{ "path": "/something/to/search/search.html" }
{"index" : {"_id": "2"}}
{ "path": "/nothing/to/search/new.html" }
{"index" : {"_id": "3"}}
{ "path": "/something/to/view/other.html" }
{"index" : {"_id": "4"}}
{ "path": "/not/to/search/search.html" }

Add index pattern in the Kibana->Managemnt->Index Patterns

Now try in the Discover the following (change to the right index pattern)

Regular Expression
path.keyword:/\/some.*/ - 2 hits
path.keyword:/\/some.*\/search.*/ - 1 hit

Wild Card
path.keyword:\/some* - 2 hits
path.keyword:\/some*\/search* - 1 hit

Hope you could understand better how it works.

If you still can not make the searches send me the mapping and examples of documentsand, and I help you to make the search in the Discover. :slight_smile:

Hi and thanks for anwsering again,
thank you very much.
And yes, your example is delivering the correct hits.

On my own index it is not working. :confused:
I have sent you my mapping as a private message, would be awesome if you could tell me whats wrong with it. THANKS.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.