When using Discover in Kibana I can type "hostxyz" and a case-insensitive search will be performed.
However, when performing the same kind of search but targeting a specific field, for example winlog.computer_name: "hostxyz", the query becomes case sensitive.
I have extracted the mapping for this example, as per below.
"computer_name": {
"type": "keyword",
"ignore_above": 1024
},
This is likely an obvious question, but can anyone state what I'm doing wrong here?
The type for computer_name field is keyword, which makes it a case sensitive field and any search on this field will be case sensitive.
The searches would not only be case sensitive but AS IS searches, meaning the search term should EXACTLY match the value in the field.
If you want to make it case insensitive, you could do something like this.
Create the following analyzer in your index
"analyzer": {
"keyword_lowercase": {
"tokenizer": "keyword",
"filter": [
"lowercase"
]
}
}
Then, change the mapping in your index as follows
"computer_name": {
"type": "text",
"analyzer": "keyword_lowercase",
"ignore_above": 1024
}
This will still be a keyword search(exact match), but will index data and generate tokens in lowercase.
For a generalized search, you could use standard analyzer(has lower case filter by default) in place of keyword_lowercase. Or you could simply omit the "analyzer" field completely and elasticsearch will use standard analyzer by default for your field. A better approach could be to use multi field to analyze computer_name in multiple ways like this
"computer_name": {
"type": "text",
"ignore_above": 1024
"fields": {
"lowercase_keyword": {
"type": "text",
"analyzer": "keyword_lowercase",
"ignore_above": 1024
}
}
}
You can use computer_name field in queries for generalized search and computer_name.lowercase_keyword for keyword(exact) matches.