Wildcards can be useful when you need to run a search on an indefinite term or a partial string.

When using the Lucene query syntax in Kibana:

  • Use a question mark to replace a single character. It’s like a Joker in a card game.
  • Use an asterisk to replace an indefinite number of characters (even 0).

Leading wildcards are disabled

Wildcard searches can be very resource heavy and slow to run.

Leading wildcards are disabled to prevent potential issues. In other words, your searches cannot begin with a wildcard.

For example, you can run a free text search for string but not for *string. Similarly, you can run a search for a field:value pair, such as key:string but not key:*string.

Workarounds and alternatives

Change the field mapping to an analyzed field

If you want to search by partial field contents, you have the option to change the field mapping to analyzed text.

Analyzed fields support filtering for a value that contains a certain string and can replace the need for leading wildcards.

For example, say you are looking for a particular host, instead of searching with a leading wildcard for host:*prod*, you can use the filters to filter under the field host for a value that contains prod.

Analyzed text fields tokenize strings

Analyzed text fields tokenize longer strings to support full-text search on individual terms.

Tokenization can mean indexing the words in a sentence, or breaking up a complex naming structure into stand-alone naming components to support more robust filtering options.

The tokenizing processor can use different predefined characters as delimiters to cut up the string into shorter terms. These can be spaces, periods, slashes, underscores, etc.

To change a field mapping, select > Tools > Field mapping from the top menu. Search for the field name, hover over it, and select the analyzed mapping option. The field will be explicitly mapped.

Explicit field mapping in Logz.io

Contact support to request a custom configuration

If the above solutions do not satisfy your needs, please contact support to request a customized solution.