Wildcard field type

Introduced 2.15

A wildcard field is a variant of a keyword field designed for arbitrary substring and regular expression matching.

Use a wildcard field when your content consists of “strings of characters” and not “text”. Examples include unstructured log lines and computer code.

The wildcard field type is indexed differently from the keyword field type. Whereas keyword fields write the original field value to the index, the wildcard field type splits the field value into substrings with a length that is less than or equal to 3 and writes the substrings to the index. For example, the string test is split into strings t, te, tes, e, es, and est.

At search time, required substrings from the query pattern are matched against the index to produce candidate documents, which are then filtered according to the pattern in the query. For example, for the search term test, OpenSearch performs an indexed search for tes AND est. If the search term contains less than three characters, OpenSearch uses character substrings that are one or two characters long. For each matching document, if the source value is test, then the document is returned in the results. This excludes false positive values like nikola tesla felt alternating current was best.

In general, exact match queries (like term or terms queries) perform less effectively on wildcard fields than on keyword fields, while wildcard, prefix, and regexp queries perform better on wildcard fields.

Example

Create a mapping with a wildcard field:

  1. PUT logs
  2. {
  3. "mappings" : {
  4. "properties" : {
  5. "log_line" : {
  6. "type" : "wildcard"
  7. }
  8. }
  9. }
  10. }

copy

Parameters

The following table lists all parameters available for wildcard fields.

ParameterDescription
doc_valuesA Boolean value that specifies whether the field should be stored on disk so that it can be used for aggregations, sorting, or scripting. Default is false.
ignore_aboveAny string longer than this integer value should not be indexed. Default is 2147483647.
normalizerThe normalizer used to preprocess values for indexing and search. By default, no normalization occurs and the original value is used. You may use the lowercase normalizer to perform case-insentive matching on the field.
null_valueA value to be used in place of null. Must be of the same type as the field. If this parameter is not specified, then the field is treated as missing when its value is null. Default is null.