[KQL] Add support for case-insensitive searches #55378
Comments
Bargs
added
Feature:KQL
|
Pinging @elastic/kibana-app (Team:KibanaApp) |
|
This depends more on how your field was analyzed at ingestion time. If your field is configured to use the Lowercase token filter then your KQL queries on that field will be case insensitive. |
|
The use case I’m looking for is following the ingestion of Linux Thanks! |
|
Following up on this, I don't believe the Filebeat module for Apache/Nginx/IIS web log ingestion offers an option to use the Lowercast token filter. The ability to query data with a KQL |
timroes
added
Team:AppArch
and removed
Team:Visualizations
|
Pinging @elastic/kibana-app-arch (Team:AppArch) |
|
Just my semi-regular follow-up on this request. Thank you! |
|
Hey, just checking in again! You guys do great work, and this would be a fantastic feature to add to Kibana for log analysis. Thank you! 🙏 |
|
Just checking in, any status on getting case-insensitive KQL match functionality? |
|
@joswr1ght There's been no direct work on this, but in the future release of 7.10, Elasticsearch will offer a case-insensitive option for wildcard searches. I'm proposing that we change KQL to use this by default in this issue, if you want to follow that discussion. |
exalate-issue-sync
bot
added
impact:low
lukasolson
changed the title
exalate-issue-sync
bot
added
loe:medium
exalate-issue-sync
bot
added
loe:large
exalate-issue-sync
bot
added
loe:medium
petrklapka
added
Team:DataDiscovery
|
Pinging @elastic/kibana-data-discovery (Team:DataDiscovery) |
|
When will we be able to query case insensitive in Kibana KQL? I also see #134143 |
## Summary Part of #55378. Adds a `caseInsensitive` option to the KQL parsing options (`KueryQueryOptions`). When enabled, keyword queries (both wildcard<sup>[1]</sup> and term<sup>[2]</sup>) will add the `case_insensitive` option to enable case-insensitive search. [1] https://www.elastic.co/guide/en/elasticsearch/reference/8.6/query-dsl-wildcard-query.html#wildcard-query-field-params [2] https://www.elastic.co/guide/en/elasticsearch/reference/8.6/query-dsl-term-query.html#term-field-params ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <[email protected]>
davismcphee
added
impact:high
|
Closing this because it's not planned to be resolved in the foreseeable future. It will be tracked in our Icebox and will be re-opened if our priorities change. Feel free to re-open if you think it should be melted sooner. This works with ES|QL btw: |
Describe the feature:
Requesting the implementation of an
UPPER()function in KQL to be applied to fields, converting the record content to all uppercase.UPPER(url.original):*SELECT*KQL currently lacks a mechanism to perform case-insensitive searches. When using Kibana for system log analysis, attackers can evade detection by mixing case in data that would show up in web logs. For example, a search to identify a SQL injection attack utilizing the SQL UNION keyword might be:
url.original:*UNION*An attacker who constructs an attack where the HTTP request uses the SQL keyword UnioN would evade detection with this KQL query.
Describe a specific use case for the feature:
Thank you for your consideration.
-Josh
The text was updated successfully, but these errors were encountered: