Case Insensitive Search Options #14872

cmdpink · 2025-07-24T04:26:21Z

cmdpink
Jul 24, 2025

Version

2.4.80

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

23

RAM

64

Storage for /

600G

Storage for /nsm

40T

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,
I'm a newer user to Security Onion and had a question about search behavior in Security Onion 2.4.80+.

I've noticed that when searching through the dashboards, queries appear to be case sensitive, for example, searching

destination.geo.country_name: "United States"

Will return results, but searching

destination.geo.country_name: "united states"
Or
destination.geo.country_name: "UNITED STATES"

Will return no results.

I wanted to check, was case insensitive searching ever supported on previous versions of Security Onion? Is there currently any way to make all index fields case insensitive globally? Or maybe a workaround that allows for more flexible searching?

I'd really appreciate any guidance, thank you!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by defensivedepth

Jul 25, 2025

There is a long history around this issue. We believe that case-insensitive, wildcard search capabilities are important - this used to be feasible with custom elasticsearch analyzers. With some technical changes to the underlying Elastic stack, this was no longer possible. So we moved to using EQL for the Sigma/Elastalert rules which allows wildcard + case insensitivity via the query language. OQL (based on lucene) has limited support for this, though we are working on finding a better solution.

View full answer

defensivedepth · 2025-07-25T12:33:21Z

defensivedepth
Jul 25, 2025
Maintainer

There is a long history around this issue. We believe that case-insensitive, wildcard search capabilities are important - this used to be feasible with custom elasticsearch analyzers. With some technical changes to the underlying Elastic stack, this was no longer possible. So we moved to using EQL for the Sigma/Elastalert rules which allows wildcard + case insensitivity via the query language. OQL (based on lucene) has limited support for this, though we are working on finding a better solution.

2 replies

cmdpink Jul 28, 2025
Author

Understood, thank you for the explanation.

defensivedepth Jul 28, 2025
Maintainer

To be clear, text fields do have case insensitivity. Again, we are aware of the issues and continue to work on a comprehensive solution to it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Case Insensitive Search Options #14872

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Case Insensitive Search Options #14872

Uh oh!

cmdpink Jul 24, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 2 replies

Uh oh!

defensivedepth Jul 25, 2025 Maintainer

Uh oh!

cmdpink Jul 28, 2025 Author

Uh oh!

defensivedepth Jul 28, 2025 Maintainer

cmdpink
Jul 24, 2025

Replies: 1 comment 2 replies

defensivedepth
Jul 25, 2025
Maintainer

cmdpink Jul 28, 2025
Author

defensivedepth Jul 28, 2025
Maintainer