Hi, a bit more information.
I tried adding a custom analyzer based off a recommendation I saw online
somewhere. This partly works in that it's not tokenising. But I can't do
wildcard searches in Kibana on the fields, and they're now case sensitive :(
curl localhost:9200/_template/logstash-username -XPUT -d '{
"template": "logstash-*",
"settings" : {
"analysis": {
"analyzer": {
"lc_analyzer": {
"type": "custom",
"tokenizer": "keyword",
"filters": ["lowercase"]
}
}
}
},
"mappings": {
"_default_": {
"properties" : {
"User_Name" : { "type" : "string", "analyzer" :
"lc_analyzer" }
}
}
}
}'
Thanks
On Wednesday, January 8, 2014 3:26:03 PM UTC, Chris H wrote:
>
> Hi. I've deployed elasticsearch with logstash and kibana to take in
> Windows logs from my OSSEC log server, following this guide:
> http://vichargrave.com/ossec-log-management-with-elasticsearch/
> I've tweaked the logstash config to extract some specific fields from the
> logs, such as User_Name. I'm having some issues searching on these fields
> though.
>
> These searches work as expected:
>
> - User_Name: *
> - User_Name: john.smith
> - User_Name: john.*
> - NOT User_Name: john.*
>
> But I'm having problems with Computer accounts, which take the format
> "w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a
> search for "w-dc-01" returns all the servers named "w-<anything>". Also I
> can't do "NOT User_Name: *$" to exclude computer accounts.
>
> The mappings are created automatically by logstash, and GET
> /logstash-2014.01.08/_mapping shows:
>
> "User_Name": {
>
> "type": "multi_field",
> "fields": {
> "User_Name": {
> "type": "string",
> "omit_norms": true
> },
> "raw": {
> "type": "string",
> "index": "*not_analyzed*",
> "omit_norms": true,
> "index_options": "docs",
> "include_in_all": false,
> "ignore_above": 256
> }
> }
> },
>
> My (limited) understanding is that the "not_analyzed" should stop the
> field being split, so that my searching matches the full name, but it
> doesn't. I'm trying both kibana and curl to get results.
>
> Hope this makes sense. I really like the look of elasticsearch, but being
> able to search on extracted fields like this is pretty key to me using it.
>
> Thanks.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/96e74e53-54f9-48ec-9e5c-8f1354b264be%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
