Wildcard Queries Vs Query_string Queries

Sheharyar_Khalid · January 9, 2023, 1:07am

Hello,

I am looking for wildcard matching of events on log data in elasticsearch. For example i want to match IP addresses in my data but I only know the ending address (i want to match to 192.100.1.1 but i search for *.1.1).

I wanted to know if there is any difference (logically or implementation wise) if I am using query string query


{"bool": {"must" : [{"query_string": {"query": "*something"}},{"match": {"message.type": "RECORD_EVENT"}}]}})

Or if I am using wildcard query

{"bool": {"must" : [{"wildcard": {"_all": "*something"}},{"match": {"message.type": 
"RECORD_EVENT"}}]}})

Also, is there any way to speed up such queries? (I am using the default analyzer and tokenizer)

Christian_Dahlqvist · January 9, 2023, 5:21am

I do not know of differences in implementation, but in both cases you will be looking for terms based on leading wildcard, and leading wildcard queries are the most expensive and inefficient type of query in Elasticsearch.

The only way I am aware of to speed it up is is to change your mappings and start using the wildcard field type, especially if you have a large field or high cardinality.

system · February 6, 2023, 5:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there a difference between query_string, wildcard and match? Elasticsearch	5	9758	June 11, 2018
QueryStringQuery vs Boolean Query performance difference Elasticsearch	1	703	July 5, 2017
Query_string using '*' wildcard VS prefix query Elasticsearch	2	1194	February 14, 2020
QueryString vs multiple wildcards Elasticsearch	6	694	July 5, 2023
Use wildcard data type ,The number of events does not match when querying Elasticsearch	6	722	October 1, 2020

Wildcard Queries Vs Query_string Queries

Related topics