Using wildcards efficiently
Though the index is based on words, it is possible to use wildcards when needed, although some care must be taken.
Only trailing wildcards are efficient
Stated simply, bob* will find events containing Bobby efficiently, but *by or *ob* will not. The latter cases will scan all events in the time frame specified.
Wildcards are tested last
Wildcards are tested after all other terms. Given the search: authclass *ob* hello world, all other terms besides *ob* will be searched first. The more you can limit the results using full words and fields, the better your search will perform.
Supplementing wildcards in fields
Given the following events, a search for world would return both events:
2012-02-07T01:04:31.102-0600 INFO AuthClass Hello world. [user=Bobby, ip=1.2.3.3] 2012-02-07T01:23:34.204-0600 INFO BarClass Goodbye. [user=Bobby, ip=1.2.3.3, message="Out of this world"]
What if you only wanted the second event, but all you know is that the event contains world somewhere in...
