Okay, so while doing some research on analyzers and wildcard searches in not-analysed field in ES, I stumbled upon an issue which exactly deals with that problem and has been discussed in the ES community a couple of times already. The thing is that there is a parameter lowercase_expanded_terms in the query DSL, which is set to *true* by default. This means that your search terms are always interpreted as lower case, no matter if you use upper case letters within. Consequently, when you do wildcard searches in not-analysed fields, the lower case search term (do*Thing -> do*thing) does never match the values which include upper case letters (doAnotherThing).
For more information, refer to https://github.com/elastic/elasticsearch/issues/9978. Long story short, you usually want to have lowercase_expanded_terms set to true for analysed fields and false for not-analysed fields. However, this requires the developers to rewrite their analysis framework, which is why the issue is categorised as "high hanging fruit" and has been postponed from one milestone to another several times. Since adding custom mappings for every new index created by Graylog is not practicable (and not a general solution either), I guess we have to wait for the ES guys to fix this issue. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/53f9eb0a-6add-4702-a3a6-ab203d1ef4e1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
