I have an extraction query like such:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"wildcard": {
"message.keyword": {
"wildcard": "*Error during login*"
}
}
},
{
"match": {
"host.hostname": {
"query": "<a hostname>",
"operator": "AND",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
},
{
"match": {
"account_alias": {
"query": "<an aws account>",
"operator": "AND",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-24h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
}
}
When I remove the wildcard array element, I get a ton of hits. If I only search for “Error” in the wildcard string, I also get a ton of hits. When I add more words, I immediately go to no search hits even though I can confirm through discovery that there should be hits. I believe it has to do with the spaces, how do I wildcard match including whitespace?