Using wildcards efficiently
Though the index is based on words, it is possible to use wildcards when necessary, albeit a little carefully. Take a look at some interesting facts about wildcards:
- Only trailing wildcards are efficient: Stated simply,
bob*
will find events containingBobby
efficiently, but*by
or*ob*
will not. The latter cases will scan all events in the time frame specified. - Wildcards are tested last: Wildcards are tested after all other terms. Given the search
authclass *ob* hello world
, all other terms besides*ob*
will be searched first. The more you can limit the results using full words and fields, the better your search will perform.
Supplementing wildcards in fields
Given the following events, a search for world
would return both events:
2012-02-07T01:04:31.102-0600 INFO AuthClass Hello world. [user=Bobby, ip=1.2.3.3] 2012-02-07T01:23:34.204-0600 INFO BarClass Goodbye. [user=Bobby, ip=1.2.3.3, message="Out of this world"]
What if you only wanted the second event but all...