Use wildcard data type ,The number of events does not match when querying

I use two field types: text and wildcard to store the same error log. When I query, I find the missing content

GET test-wildcard/_search
{
  "query": {
    "match": {
      "json.thrown.stack": "*invokeWithoutCircuitBreaker$LOG4X*"
    }
  }
}

GET test-text/_search
{
  "query": {
    "match": {
      "json.thrown.stack": "invokeWithoutCircuitBreaker$LOG4X"
    }
  }
}

Is my query method wrong or the problem caused by the wildcard field type?

Hi.
match query doesn't support wildcard syntax.
Try

{
	"query": {
		"wildcard": {
			"json.thrown.stack":  {
				"value":"*invokeWithoutCircuitBreaker$LOG4X*"
			}
		
		}
	}
}

Thanks for your reply !

I tried the wildcard syntax, but the result is the same, there is still a difference with the result of the text field type search.

GET test-wildcard/_search
{
  "query": {
    "wildcard": {
      "json.thrown.stack": {
        "value": "*invokeWithoutCircuitBreaker$LOG4X*"
      }
    }
  }
}

That's because the query/field combos are doing fundamentally different things.

One is an exact search for an exact sequence of characters (wildcard query on wildcard field)

The other is matching any word in a list of presented words (match query on text field). The words are potentially stripped of case differences and separated by characters determined by the text field's choice of Analyzer.

That's right !
The wildcard field does not ignore case, so the returned results will look different.
Thanks for helping me out !

1 Like

No problem.
We are working on adding case insensitive search options.
For now you can use a regexp query instead of the wildcard and list each character with its allowed variants e.g. Case becomes [Cc][Aa][Ss][Ee]