Wildcard Queries Vs Query_string Queries

Sheharyar_Khalid · January 9, 2023, 1:07am

Hello,

I am looking for wildcard matching of events on log data in elasticsearch. For example i want to match IP addresses in my data but I only know the ending address (i want to match to 192.100.1.1 but i search for *.1.1).

I wanted to know if there is any difference (logically or implementation wise) if I am using query string query


{"bool": {"must" : [{"query_string": {"query": "*something"}},{"match": {"message.type": "RECORD_EVENT"}}]}})

Or if I am using wildcard query

{"bool": {"must" : [{"wildcard": {"_all": "*something"}},{"match": {"message.type": 
"RECORD_EVENT"}}]}})

Also, is there any way to speed up such queries? (I am using the default analyzer and tokenizer)

Christian_Dahlqvist · January 9, 2023, 5:21am

I do not know of differences in implementation, but in both cases you will be looking for terms based on leading wildcard, and leading wildcard queries are the most expensive and inefficient type of query in Elasticsearch.

The only way I am aware of to speed it up is is to change your mappings and start using the wildcard field type, especially if you have a large field or high cardinality.

system · February 6, 2023, 5:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.