diff --git a/pkg/simple/client/auditing/elasticsearch/elasticsearch.go b/pkg/simple/client/auditing/elasticsearch/elasticsearch.go
index a0c76af7b17a0c07742328a4eeab15c921e111d2..75b1b0a7cbe198c1cb09c4653d2e79cf216a2ce9 100644
--- a/pkg/simple/client/auditing/elasticsearch/elasticsearch.go
+++ b/pkg/simple/client/auditing/elasticsearch/elasticsearch.go
@@ -367,7 +367,7 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 		}
 	}
 	if len(f.ObjectRefNamespaceFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "ObjectRef.Namespace",
+		if bi := shouldBoolbody("wildcard", "ObjectRef.Namespace.keyword",
 			f.ObjectRefNamespaceFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
@@ -382,7 +382,7 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 		}
 	}
 	if len(f.WorkspaceFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "Workspace",
+		if bi := shouldBoolbody("wildcard", "Workspace.keyword",
 			f.WorkspaceFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
@@ -391,13 +391,13 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 	}
 
 	if len(f.ObjectRefNames) > 0 {
-		if bi := shouldBoolbody("match_phrase_prefix", "ObjectRef.Name.keyword",
+		if bi := shouldBoolbody("match_phrase", "ObjectRef.Name.keyword",
 			f.ObjectRefNames, nil); bi != nil {
 			b.Filter = append(b.Filter, map[string]interface{}{"bool": bi})
 		}
 	}
 	if len(f.ObjectRefNameFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "ObjectRef.Name",
+		if bi := shouldBoolbody("wildcard", "ObjectRef.Name.keyword",
 			f.ObjectRefNameFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
@@ -406,20 +406,20 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 	}
 
 	if len(f.Verbs) > 0 {
-		if bi := shouldBoolbody("match_phrase", "Verb",
+		if bi := shouldBoolbody("match_phrase", "Verb.keyword",
 			f.Verbs, nil); bi != nil {
 			b.Filter = append(b.Filter, map[string]interface{}{"bool": bi})
 		}
 	}
 	if len(f.Levels) > 0 {
-		if bi := shouldBoolbody("match_phrase", "Level",
+		if bi := shouldBoolbody("match_phrase", "Level.keyword",
 			f.Levels, nil); bi != nil {
 			b.Filter = append(b.Filter, map[string]interface{}{"bool": bi})
 		}
 	}
 
 	if len(f.SourceIpFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "SourceIPs",
+		if bi := shouldBoolbody("wildcard", "SourceIPs.keyword",
 			f.SourceIpFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
@@ -434,7 +434,7 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 		}
 	}
 	if len(f.UserFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "User.Username",
+		if bi := shouldBoolbody("wildcard", "User.Username.keyword",
 			f.UserFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
@@ -443,7 +443,7 @@ func parseToQueryPart(f *auditing.Filter) interface{} {
 	}
 
 	if len(f.GroupFuzzy) > 0 {
-		if bi := shouldBoolbody("wildcard", "User.Groups",
+		if bi := shouldBoolbody("wildcard", "User.Groups.keyword",
 			f.GroupFuzzy, func(s string) string {
 				return fmt.Sprintf("*" + s + "*")
 			}); bi != nil {
diff --git a/pkg/simple/client/auditing/elasticsearch/elasticsearch_test.go b/pkg/simple/client/auditing/elasticsearch/elasticsearch_test.go
index 05251203f1d8ae93ba9ee6d824b356f02acdb972..5fd8b593984f63d1fda42ffdf9b40f1642cd462a 100644
--- a/pkg/simple/client/auditing/elasticsearch/elasticsearch_test.go
+++ b/pkg/simple/client/auditing/elasticsearch/elasticsearch_test.go
@@ -175,7 +175,7 @@ func TestParseToQueryPart(t *testing.T) {
 				"bool": {
 					"should": [
 						{
-							"match_phrase_prefix": {
+							"match_phrase": {
 								"ObjectRef.Name.keyword": "istio"
 							}
 						}
@@ -188,7 +188,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"wildcard": {
-								"ObjectRef.Name": "*istio*"
+								"ObjectRef.Name.keyword": "*istio*"
 							}
 						}
 					],
@@ -200,7 +200,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"match_phrase": {
-								"Verb": "create"
+								"Verb.keyword": "create"
 							}
 						}
 					],
@@ -212,7 +212,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"match_phrase": {
-								"Level": "Metadata"
+								"Level.keyword": "Metadata"
 							}
 						}
 					],
@@ -224,7 +224,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"wildcard": {
-								"SourceIPs": "*192.168*"
+								"SourceIPs.keyword": "*192.168*"
 							}
 						}
 					],
@@ -248,7 +248,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"wildcard": {
-								"User.Username": "*system:serviceaccount*"
+								"User.Username.keyword": "*system:serviceaccount*"
 							}
 						}
 					],
@@ -260,7 +260,7 @@ func TestParseToQueryPart(t *testing.T) {
 					"should": [
 						{
 							"wildcard": {
-								"User.Groups": "*system:serviceaccounts*"
+								"User.Groups.keyword": "*system:serviceaccounts*"
 							}
 						}
 					],