Using Wildcards in field filters

Elastic Stack Kibana
1

Ok, I'm a elastic newbie (<8hrs and 100+ usages of "curl -XDELETE 'http://localhost:9200/_all'"...;).
I simply want to create a filter that searches the string content of a specific field (POND_NAME) and returns all records that start with "BABING". I've tried all the flavors of POND_NAME:BABINGTON* possible but none seem to work. What am I doing wrong? This should be simple!

2016-04-13_18-33-12.png1585×684 64.7 KB

2016-04-13_18-34-24.png1361×269 17.3 KB

This works:

2016-04-13_18-35-56.png1585×688 138 KB

This Doesn't:

2016-04-13_18-36-51.png1580×750 91.2 KB

2

Not sure if it has something to do with using wildcard on a not_analyzed field

3

I had to set the field as not_analyzed because the multi-name pond names were getting broken up into multiple different ponds. For example "BABINGTON C4" became two ponds "BABINGTON" and "C4"...

5

It may not be the not_analyzed field. I'm curious about this too so I did a test on two fields in my netflow data:

Mappings:

"IPV4_SRC_ADDR": {
        "include_in_all": true,
        "index": "not_analyzed",
        "type": "string"
      },
"L7_PROTO_NAME": {
        "include_in_all": true,
        "index": "not_analyzed",
        "type": "string"
      }

IPV4_SRC_ADDR contains IP such as 10.0.0.1, 10.0.0.2, 192.168.0.10, etc.
L7_PROTO_NAME contains protocol name such as SSL, HTTP, HTTPS, DNS, SSL.Google

Using wildcard on both fields, I can successfully get result for

IPV4_SRC_ADDR:10.0.*

which shows me 10.0.0.1 and 10.0.0.2, but when I run for L7_PROTO_NAME

L7_PROTO_NAME: "HTTP*"

then no result shows up

I don't know why I got different behaviors with wildcard search on the same field type and not_analyzed?

6

In you case you can either use include_in_all for POND_NAME field and use wildcard search in _all field, or you can use multi fields for POND_NAME

"POND_NAME": {
          "index": "analyzed",
          "type": "string",
          "fields": {
            "raw": {
              "index": "not_analyzed",
              "type": "string",
            }
          }
        },

POND_NAMEfor searching and POND_NAME.raw for aggregation

7

Thank you! That's going to work for me. I use the "analyzed" POND_NAME field to filter with wildcards and I use the "non-analyzed" field POND_NAME.raw to query by POND NAME.