Wildcard Search Issue

c_koell · March 14, 2017, 2:40pm

Hi !

Based on Wildcard search question i have tried to figure out the exact problem what we have with wildcardsearches on fields.

I will try to explain the behaviour.

Environment: Graylog 2.1.3
We send via gelf two messages with a field called application with the values “jto” and “JCR”.
If we search now
application:jto → Result
application:jT* → Result !
As i understand, the field will not be analyzed so the value should be stored as it comes and therefore jT* should bring no results.

Is it true that graylog will lower the search value if you put a * on the end of the value ?

If i perform following search direct via ElasticSearch i get no results.
{
“query”: {
“bool”: {
“must”: [
{
“wildcard”: {
“application”: “jT*”
}
}
],
“must_not”: ,
“should”:
}
},
“from”: 0,
“size”: 10,
“sort”: ,
“aggs”: { }
}

The second search:
application:JCR → Result
application:JC* → No Result

Also here it looks like that graylog will lower the value and therefore the search will get no results.

If i perform following search direct via ElasticSearch i get results.
{
“query”: {
“bool”: {
“must”: [
{
“wildcard”: {
“application”: “JC*”
}
}
],
“must_not”: ,
“should”:
}
},
“from”: 0,
“size”: 10,
“sort”: ,
“aggs”: { }
}

but if i try this search i get No Results

{
“query”: {
“bool”: {
“must”: [
{
“wildcard”: {
“application”: “jc*”
}
}
],
“must_not”: ,
“should”:
}
},
“from”: 0,
“size”: 10,
“sort”: ,
“aggs”: { }
}

Can somebody give some feedback please to my assumption.

Thanks
Claus

dustintennill · March 15, 2017, 1:26pm

Claus,

I think I just experienced the same issue on our environment (2.2.2).

My example is much the same - we have a field that contains a space separated list of usernames. I wanted to build dashboards showing record counts for each user.

If the username is lowercase, the search for myfield:username works exactly as expected.
If the username has an uppercase letter, the search for myfield:UserName returns no records.

I converted the data for “myfield” to lowercase as it comes in to graylog so the searches work as expected, but was excited to see it was identified as a potential issue.

Dustin

c_koell · March 24, 2017, 6:41am

Hi Graylog Team !

Is it possible to get a feedback to my question please ??

thanks
claus

rafaelcarsetimo · March 25, 2017, 10:26pm

Note that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:

allow_leading_wildcard_searches = true

c_koell · March 27, 2017, 6:55am

Hi !

My Question has nothing to do with leading wildarcds

greets
claus

chavez243ca · June 11, 2018, 2:56pm

Experiencing the rather pernicious Uppercase search issue on 2.4.3 as well. While I understand the underlying cause might be rooted to Elastic / Lucene - it nevertheless affects the usability of Graylog to a fairly high degree.

Uppercase happens…

Topic		Replies	Views
Wildcard search question Graylog Central (peer support)	9	40740	April 4, 2018
Specific field not indexed correctly and search not working Graylog Central (peer support)	8	2880	November 12, 2020
Strange search beaviour Graylog Central (peer support)	3	631	May 9, 2017
Search in array after JSON extractor Graylog Central (peer support)	4	3324	July 18, 2019
Searching special characters Graylog Central (peer support)	9	8483	June 3, 2020

Wildcard Search Issue

Related topics