Wildcard search in Kibana for string text in message field

Question

I have the following plain text string in the message field in Kibana

message: Request result. Request: amount=58289.540000, name=Raj, so on.....

In Kibana in Lucene search when I use message: "Request Result" then I get the correct match.

But I want to search using wildcard like message: "Request Resu*". Is this possible without any changes to the logs or to Kibana index?

Edit:

I thought that "message" is a plain text log, when I search "amount=58289.540000, name=Raj" then I get the result but when I search for "amount=58289.540000, name=R" then I dont get any result. How does Kibana know that this is a partial value?

I guess message is not plain text? How can I know what is the type of the log that I am viewing in Kibana GUI?

Answer 1

What you're trying to achieve, might not be currently available, but you can try putting Request Resu in the query bar (without the "Message:" part and no double-quotes).

• Request Resu (without quotes) will return every doc where the message field contains Request or Resu or both.
• "Request Resu" (with quotes) will return every doc where the message field contains Request and Resu both in the same order.
• You cannot use wildcards inside of phrases.
• The search queries mentioned below (one word) would work as per the requirements:
  • message:requestresu*
  • message:?request*
  • message:?req*
  • message:?resul

NB: Since Elasticsearch applies the analyzers on your queries, it might look like wildcards are working inside phrases if you place them at the beginning/end of words. — e.g. IN YOUR CASE: message: "Request Resu*" (with quotes) will still return both documents on analyzed data, but. that is not because your wildcard worked as expected, but it is because the analyzer stripped the asterisk when analyzing the query. That query wouldn't find the value "Request Resuxxxxx".

You might wanna go through this link for more details.