Wirldcard search issue

Elastic Stack Kibana
1

Hi all,

I'm facing an issue when I try to search like below in Kibana interface:

(for information, the host field is analyzed and the short_message field is not_analyzed)

The string in the shot_message field: "Port Manager Internal Software Error (pm_vtpvlan_bitlist_test(&operInfo.trunkVlans, vlan)"

host:"test.corp" AND short_message:*Internal* -> I didn't get any result

but with

host:"test.corp" AND short_message:*nternal* -> I get a result

I don't understand why ? Why when I leave the "I" it works otherwise it doens't work ?

When I issue a GET command like below, it works:

... 
"query": {
        "query_string": {
          "query": "host:\"test.corp\"",
          "analyze_wildcard": true
           }
  },
  "query": {
        "wildcard": {
            "short_message": "\*Internal\*"
        }
  },
...

I'm interesting if anyone have the solution. Because right now i'm not able to perform a wildcar search on a not_analyzed field through Kibana.

Thanks in advance,
Alex

2

Have you looked at the request being sent to elasticsearch when you perform this search? If you click on the arrow to the bottom-left of the bar chart on the discover page, it should reveal a panel that shows you information about the request, including the query that ends up being sent to elasticsearch. Could you copy that here?

3

Hi,

There is no panel to see the request when I get "No results found". When I get a result I can see the request sent to elasticsearch.

But I did a tcpdump, find below the request working:

...
{
"size":500,
"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],
    "query":{
         "filtered":{
             "query":{
                 "query_string":{
                     "analyze_wildcard":true,
                     "query":"host:\"test.corp\"  AND short_message:*nternal*"
                 }
             },
...

And below the request not working:

...
{
"size":500,
"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],
    "query":{
         "filtered":{
             "query":{
                 "query_string":{
                     "analyze_wildcard":true,
                     "query":"host:\"test.corp\"  AND short_message:*Internal*"
                 }
             },
...

Thanks in advance,
Alex

4

My guess is that this has something to do with the fact that your short_message field is not analyzed. I'm not exactly sure why the latter isn't providing results, but the Elasticsearch sub-forum may be of more help to you.

What I can tell you is that, if you'd like, you are able to paste in entire search queries. For example, you can copy the following JSON and paste it in the search bar, and tweak if necessary:

{
  "query_string": {
    "query": "host:\"test.corp\"",
    "analyze_wildcard": true
  }
}
5

Thanks a lot ! I will try.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.