A.2 Wildcards in Search Queries

Lucene supports wildcards in search values but not in regular expressions:

For example:

A.2.1 Wildcards in Tokenized Fields

Wildcards are applied differently to tokenized fields and non-tokenized fields. Wildcards for tokenized fields match only words that were parsed from the value and not the entire value. For example, if you specify the search query msg:authentication*failed to search for the message The user authentication has failed on the server, it does not return the events with this message. This is because “*” does not match anything between “authentication” and “failed.” However, it matches any words that begin with “authentication” and end with “failed.” For example, it returns results if any of the following words are used: “authenticationhasfailed,” “authenticationuserfailed,” and “authenticationserverfailed.” For tokenized fields, all matching that uses wildcard searches is done on the words within the value and not on the full value.

A.2.2 Quoted Wildcards

Tokenized Fields

When wildcards are quoted, they are not treated as wildcards, but as word delimiters. For example, consider the following query:

msg:"user* fail*"

The search value "user* fail*" is parsed into two words, “user” and “fail.” The semantic is "find any event where the msg field contains “user” AND “fail” words in that order, and there are no intervening words between them.” Thus, it does not match the following value:

The user authentication has failed on the server.

This is because the wildcard is not treated as a wildcard but as a word delimiter.

Non-Tokenized Fields

When wildcards are quoted, they are treated as literal characters to search. For example, if the query is: sun:"adm*," it returns the following values:

ADM* (case-insensitive)

The query does not return the following values:


A.2.3 Leading Wildcards

Leading wildcards are not valid in searches because Lucene does not allow the * or ? characters to be the first character of a search value. For example, the following queries are invalid:

  • sun:*adm* The semantic is “find any event whose initiator username value contains the letters a, d, and m in sequence.“

  • sun:*tester The semantic is “find any event whose initiatorusername value ends with “tester.”

  • sun:* The semantic is “find any event whose initiator username field is non-empty.”

    Because this is an important type of query, Sentinel Log Manager provides an alternative way to accomplish this. For more information, see Section A.3, The notnull Query.