One search feature covered by the Kibana search module is the ability to use wildcards in searches. But wildcards are extremely expensive queries to run, especially pre-wildcards. Therefore, you may want to consider disabling leading wildcards to prevent someone from using them. In my previous article, “Elasticsearch: Using Regexp search correctly”, I detailed how to avoid front-facing wildcard queries. Specifically, the following types of queries:

GET my_example/_search
{
  "query": {
    "regexp": {
      "content": ".*work"
    }
  }
}
Copy the code

This query is very expensive in Elasticsarch, on the one hand regexp search is slow and expensive, plus the front wildcard query can make your Elasticsearch very busy (if you have a lot of data). For many users, you might want to avoid this query. We can disable these queries in Kibana. Keep in mind that although Kibana is two query languages: KQL and Lucene, you need to disable both.

 

Disable KQL pre-wildcard query

We opened Kibana first:

 

Let’s scroll down:

For KQL searches, we disable this feature by clicking the switch above. Once banned, let’s do an experiment. We created the following my_index in Kibana:

PUT my_index/_doc/1
{
  "category": "sports"
}
Copy the code

We then create an index pattern for my_index and search in Discover:

Above, we see the only document for my_index. We tried the following searches:

Wildcard’s search was clearly successful. We then use the front-facing Willdcard to search:

We see error messages indicating that my Settings are working.