Kibana: Querystring in regexp search lowercased

Created on 17 Jul 2015  路  2Comments  路  Source: elastic/kibana

How can I fully utilize ElasticSearch's regex query through Kibana? I can't force Kibana to search through the whole case-sensitive, string. It looks like at some point it lowercases the query and because of that I can't fully use regexps.

The idea is simple. I need to search all field using regular expressions, case-sensitive syntax. But not on a token level, but the whole string. I'd like to achieve the same goal described here (Logging Forensics with ELK)[http://blog.davidvassallo.me/2015/06/25/beyond-the-basics-logging-forensics-with-elk-elasticsearch-logstash-kibana/]. However, that solution doesn't work completely and that's the reason of this issue.

So far I've changed the analyzer to keyword analyzer (custom_keyword) via a template and I can perform the following queries form cURL

The base query

curl -XGET 'http://.../index/_search' -d '
         {
             "query": {
                 "regexp": {
                     "content": ".*example.*" 
                 }
             }
         }'

# Result
> This is example CONTENT
> This is example content

Regex with a capital letter

curl -XGET 'http://.../index/_search' -d '
         {
             "query": {
                 "regexp": {
                     "content": ".*example C.*" 
                 }
             }
         }'

# Result
> This is example CONTENT

From Kibana base query

content:/.*example.*/

> This is example CONTENT
> This is example content

Query with capital letter

content:/.*example C.*/

> This is example content

The result is completely wrong and it looks like the query is somehow lowercased before the search.

The HTTP request to the ElasticSearch is ok. There is a capital C there, so where is the setting which tells that query to lowercase the querystring? I completely understand that it might be useful in wildcard/regular searchig, but regular expressions should remain untouched right?

I simply can't spot the difference between those two queries (cURL and Kiban) and make it work for regular expressions.

picture Semyazz

Most helpful comment

fuck this. I spent 2 hours researching what's wrong.

picture celesteking on 25 Jul 2015
👍21

All 2 comments

I've already fixed the issue. I added lowercase_expanded_terms

{ "analyze_wildcard": true, "lowercase_expanded_terms": false }

in query:queryString:options under Settings\Advanced

Semyazz picture Semyazz on 17 Jul 2015
👍3

fuck this. I spent 2 hours researching what's wrong.

celesteking picture celesteking on 25 Jul 2015
👍21
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cafuego picture cafuego  路  3Comments
ynux picture ynux  路  3Comments
timroes picture timroes  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
timmolter picture timmolter  路  3Comments