Kibana: Wildcard Search – Query Examples

A wildcard operator is a special character that is used in Kibana search queries to represent one or more other characters.

Kibana supports two wildcard operators: ?, which matches any single character in a specific position and *, which matches zero or more characters.

In this note i will show some examples of Kibana search queries with the wildcard operators.

Cool Tip: Examples of AND, OR and NOT in Kibana search queries! Read more →

Kibana Wildcards

Search Perfomance: Avoid using the wildcards * or ? in front of the search patterns in Kibana. This can increase the iterations needed to find matching terms and slow down the search performance.

This wildcard query in Kibana will search for all fields and match all of the words ‘farm‘, ‘firm‘ and ‘form‘ – any word that begins with the ‘f‘, is followed by any other character and ends with the characters ‘rm‘:

f?rm

This wildcard will find anything beginning with the ‘ip‘ characters in the ‘message‘ field, e.g. ‘iphone‘, ‘iptv‘ ‘ipv6‘, etc.:

message: ip*

This wildcard query will match terms such as ‘ipv6address‘, ‘ipv4addresses‘ – any word that begins with the ‘ip‘, followed by any two characters, followed by the character sequence ‘add‘, followed by any number of other characters and ending with the character ‘s‘:

ip??add*s

You can also use the wildcard characters for searching over multiple fields in Kibana, e.g. this query will search for ‘john‘ in all fields beginning with ‘user.‘, like ‘user.name‘, ‘user.id‘:

user.*: john

Phrase Search: Wildcards in Kibana cannot be used when searching for phrases i.e. ‘play c*‘ will not return results containing ‘play chess‘.