Wildcard datatypeedit

A wildcard field stores values optimised for wildcard grep-like queries. Wildcard queries are possible on other field types but suffer from constraints:

  • text fields limit matching of any wildcard expressions to individual tokens rather than the original whole value held in a field
  • keyword fields are untokenized but slow at performing wildcard queries (especially patterns with leading wildcards).

Internally the wildcard field indexes the whole field value using ngrams and stores the full string. The index is used as a rough filter to cut down the number of values that are then checked by retrieving and checking the full values. This field is especially well suited to run grep-like queries on log lines. Storage costs are typically lower than those of keyword fields but search speeds for exact matches on full terms are slower.

You index and search a wildcard field as follows

PUT my_index
{
  "mappings": {
    "properties": {
      "my_wildcard": {
        "type": "wildcard"
      }
    }
  }
}

PUT my_index/_doc/1
{
  "my_wildcard" : "This string can be quite lengthy"
}

POST my_index/_doc/_search
{
  "query": {
      "wildcard" : "*quite*lengthy"
  }
}

Parameters for wildcard fieldsedit

The following parameters are accepted by wildcard fields:

ignore_above

Do not index any string longer than this value. Defaults to 2147483647 so that all values would be accepted.

Limitationsedit

  • wildcard fields are untokenized like keyword fields, so do not support queries that rely on word positions such as phrase queries.