Wildcard search doesn't work in Kibana

Question

I have a field "Alert" that contains a long string containing spaces, numbers, and special characters. I have this field set to "not_analyzed". Using the Wildcard query I can issue a query as follows and get the results I want.

POST /test-index-snort2/type-snort/_search
{
  "query": {
    "wildcard": {
      "Alert": {
        "value": "ET CNC*"
      }
    }
  }
}

I'd like to use Kibana to implement a similar search. Doing so however returns no results. My query in Kibana appears as follows:

Alert:"ET CNC*"

Which in turn creates a query_string query like so:

"query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "Alert:\"ET CNC*\""
              }
            }
          ]
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "match_all": {}
            }
          ]
        }
      }
    }

Is there a way to get the same results in Kibana via the query_string query that I do with using the wildcard query?

Here is the mapping for the Alert field and a sample of the entries:

"Alert": {
        "type": "string",
        "index": "not_analyzed"
},

"Alert": "ET CNC Palevo Tracker Reported CnC Server TCP group 9 ",
"Alert": "ET CNC Palevo Tracker Reported CnC Server TCP group 10 ",
"Alert": "ET CNC Zeus Tracker Reported CnC Server TCP group 3 ",

Answer 1

Thanks to polyfractal over in #elasticsearch, I have an answer. By default query_string will lowercase wildcard input. This can be disabled through the lowercase_expanded_terms=false setting. However, there's no way to set this in Kibana.

polyfractal recommended that I create an analyzer to lowercase this content. This will allow me utilize the query_string with wildcards with the limitation that the field value will appear in lowercase in facet results, but the _source will retain the original formatting. For me, this works well and is the solution I'm moving forward with.

Except from IRC:

<polyfractal> id set up the analyzer like this:  tokenizer:keyword, filters: [lowercase]
<polyfractal> that'll basically give you a lowercased `not_analyzed` field.  may also want to disable norms, since you prolly dont need them either

Answer 2

Try

{"wildcard":{"Alert":"ET CNC*"}}

in search bar. you will get the expected format in query_string.

Answer 3

On a related note, i was able to get lowercase_expanded_terms in kibana working with this change:

diff --git a/src/app/services/querySrv.js b/src/app/services/querySrv.js
index 72e5d8b..160285c 100644
--- a/src/app/services/querySrv.js
+++ b/src/app/services/querySrv.js
@@ -102,7 +102,7 @@ function (angular, _, config, kbn) {
               .size(q.size)
               .facetFilter(ejs.QueryFilter(
                 ejs.FilteredQuery(
-                  ejs.QueryStringQuery(q.query || '*'),
+                  ejs.QueryStringQuery(q.query || '*').lowercaseExpandedTerms(false),
                   filterSrv.getBoolFilter(filterSrv.ids())
                   )))).size(0);

@@ -206,7 +206,7 @@ function (angular, _, config, kbn) {
       switch(q.type)
       {
       case 'lucene':
-        return ejs.QueryStringQuery(q.query || '*');
+        return ejs.QueryStringQuery(q.query || '*').lowercaseExpandedTerms(false);
       case 'regex':
         return ejs.RegexpQuery('_all',q.query);
       default:
@@ -281,4 +281,4 @@ function (angular, _, config, kbn) {
     self.init();
   });

Answer 4

I do not see here the simplest answer, this one:

If you specify Alert:"ET CNC*" in Kibana's search bar, it indeed will not return any result,

BUT

If you drop the quotation marks, wildcard search works in the lucen filter field, too. Now, of course in your case the space in the search query is problematic, but given your dataset Alert: ET*CNC* would yield the same result.