A.2 Wildcards in Search Queries

Sentinel supports wildcards in search values but not in regular expressions:

  • The asterisk (*) matches zero or more characters.

  • The questions mark (?) matches any one character.

For example:

  • adm*test: Matches admtest, ADMTEST, admintest, adMINtEst (note the lack of case sensitivity).

  • adm?test: Matches adm1test and AdMatest. Does not match admtest or ADMINTEST because it must have exactly one character between "adm" and "test."

A.2.1 Wildcards in Tokenized Fields

Wildcards are applied differently to tokenized fields and non-tokenized fields. Wildcards for tokenized fields match only words that were parsed from the value and not the entire value. For example, if you specify the search query msg:authentication*failed to search for the message The user authentication has failed on the server, it does not return the events with this message. This is because “*” does not match anything between “authentication” and “failed.” However, it matches any words that begin with “authentication” and end with “failed.” For example, it returns results if any of the following words are used: “authenticationhasfailed,” “authenticationuserfailed,” and “authenticationserverfailed.” For tokenized fields, all matching that uses wildcard searches is done on the words within the value and not on the full value.

A.2.2 Quoted Wildcards

Tokenized Fields

When wildcards are quoted, they are not treated as wildcards, but as word delimiters. For example, consider the following query:

msg:"user* fail*"

The search value "user* fail*" is parsed into two words, “user” and “fail.” The semantic is "find any event where the msg field contains “user” AND “fail” words in that order, and there are no intervening words between them.” Thus, it does not match the following value:

The user authentication has failed on the server.

This is because the wildcard is not treated as a wildcard but as a word delimiter.

Non-Tokenized Fields

When wildcards are quoted, they are treated as literal characters to search. For example, if the query is: sun:"adm*," it returns the following values:

adm*
ADM* (case-insensitive)

The query does not return the following values:

admin
ADMIN

A.2.3 Leading Wildcards

Leading wildcards are not valid in searches because Lucene does not allow the * or ? characters to be the first character of a search value. For example, the following queries are invalid:

  • sun:*adm* The semantic is “find any event whose initiator username value contains the letters a, d, and m in sequence.“

  • sun:*tester The semantic is “find any event whose initiatorusername value ends with “tester.”

  • sun:* The semantic is “find any event whose initiator username field is non-empty.”

    Because this is an important type of query, Sentinel provides an alternative way to accomplish this. For more information, see The notnull Query.