Wildcard search doesn't work in Kibana
Thanks to polyfractal over in #elasticsearch, I have an answer. By default query_string will lowercase wildcard input. This can be disabled through the lowercase_expanded_terms=false setting. However, there's no way to set this in Kibana.
polyfractal recommended that I create an analyzer to lowercase this content. This will allow me utilize the query_string with wildcards with the limitation that the field value will appear in lowercase in facet results, but the _source will retain the original formatting. For me, this works well and is the solution I'm moving forward with.
Except from IRC:
<polyfractal> id set up the analyzer like this: tokenizer:keyword, filters: [lowercase]
<polyfractal> that'll basically give you a lowercased `not_analyzed` field. may also want to disable norms, since you prolly dont need them either
Try
{"wildcard":{"Alert":"ET CNC*"}}
in search bar. you will get the expected format in query_string.
On a related note, i was able to get lowercase_expanded_terms in kibana working with this change:
diff --git a/src/app/services/querySrv.js b/src/app/services/querySrv.js
index 72e5d8b..160285c 100644
--- a/src/app/services/querySrv.js
+++ b/src/app/services/querySrv.js
@@ -102,7 +102,7 @@ function (angular, _, config, kbn) {
.size(q.size)
.facetFilter(ejs.QueryFilter(
ejs.FilteredQuery(
- ejs.QueryStringQuery(q.query || '*'),
+ ejs.QueryStringQuery(q.query || '*').lowercaseExpandedTerms(false),
filterSrv.getBoolFilter(filterSrv.ids())
)))).size(0);
@@ -206,7 +206,7 @@ function (angular, _, config, kbn) {
switch(q.type)
{
case 'lucene':
- return ejs.QueryStringQuery(q.query || '*');
+ return ejs.QueryStringQuery(q.query || '*').lowercaseExpandedTerms(false);
case 'regex':
return ejs.RegexpQuery('_all',q.query);
default:
@@ -281,4 +281,4 @@ function (angular, _, config, kbn) {
self.init();
});