Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The search with (*) does not return all the expected results. #5750

Closed
damarisg opened this issue Aug 1, 2023 · 2 comments
Closed

The search with (*) does not return all the expected results. #5750

damarisg opened this issue Aug 1, 2023 · 2 comments
Labels
level/task Task issue qa/known Issues that are already known by the QA team type/bug Bug issue type/research Spikes, researchs, PoCs

Comments

@damarisg
Copy link
Member

damarisg commented Aug 1, 2023

Wazuh Elastic Rev Security
4.5.0 7.x 4xxx Basic, ODFE, Xpack
Browser
Firefox 115.0.2 (64-bit)

Description

The goal of this test is search works without specifying a field and using (*)

It shows results but not all that should. I identified 2 specific cases.

I consider that by default, all results should be displayed, and the option not to filter administrator events should be disabled.
If we enable the option, the events should not appear .

Note: Found on Demo environment 4.5.0 in testing E2E.


Steps to reproduce

Case 1: When start with (*)

  1. Navigate to 'Modules' > 'Security Events' where the API env-1 is selected.
  2. Click on the Events view.
  3. Check there is a value with information to filter: v4
    FirstSearch
  4. Generate the query with *v4

Case 2: When finish with (*)

  1. Navigate to 'Modules' > 'Security Events' where the API env-1 is selected.
  2. Click on the Events view.
  3. Check there is a value with information to filter: MASQUERADE

primero

  1. Generate the query with *MASQU*

Expected Result

  1. Show results that contain titles or any detail with the word selected

Actual Result

Case 1: When start with (*)

  1. Shows results that have contents with the word selected
    results

  2. Doesn't show events that have titles with the word selected as showing the first list.

Case 2: When finish with (*)

  1. Shows results that have contents with the word selected

Resultadossin

  1. Doesn't show events that have titles with the word selected as showing the first list.
@gdiazlo
Copy link
Member

gdiazlo commented Aug 2, 2023

These results are related to the searchable fields. In the OpenSearch documentation https://opensearch.org/docs/2.6/api-reference/index-apis/create-index/ there is a option called

index.query.default_field which is A field or list of fields that OpenSearch uses in queries in case a field isn’t specified in the parameters.

So every time we search without a field, your search looks in more fields than the ones displayed by the Discover in the events section.

That explains why you can see different results, or why sometimes you've got results that you don't know why they match. If you expand the event details, you will see the matched field and value.

@AlexRuiz7
Copy link
Member

Wildcards can be used as prefix and suffix without problems. However, in the case of keyword mappings, only exact (case-sensitive) results are allowed, so wildcards have no effect on these mappings.

Sources:

@AlexRuiz7 AlexRuiz7 closed this as not planned Won't fix, can't repro, duplicate, stale Aug 21, 2023
@mauromalara mauromalara added the qa/known Issues that are already known by the QA team label Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/task Task issue qa/known Issues that are already known by the QA team type/bug Bug issue type/research Spikes, researchs, PoCs
Projects
None yet
Development

No branches or pull requests

4 participants