Hi, Jun. That doesn't seem to work. For a user with the username bob.smith-jones:
- bob.smith-jones -> matches - bob.smith-aaaa -> matches - bob.smi* -> matches - bob.smith-j* -> no results - bob.smith\-j* -> no results Also, a "$" isn't one of the special characters. Thanks. On Thursday, January 9, 2014 8:52:46 AM UTC, Jun Ohtani wrote: > > Hi Chris, > > Could you try to escape “-“ in query for “not_analyzed” field? > > > http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#_reserved_characters > > > I hope this helps. > Regards, > > ------------ > Jun Ohtani > [email protected] <javascript:> > blog : http://blog.johtani.info > twitter : http://twitter.com/johtani > > > > > 2014/01/09 17:20、Chris H <[email protected] <javascript:>> のメール: > > > Hi, a bit more information. > > > > I tried adding a custom analyzer based off a recommendation I saw online > somewhere. This partly works in that it's not tokenising. But I can't do > wildcard searches in Kibana on the fields, and they're now case sensitive > :( > > > > curl localhost:9200/_template/logstash-username -XPUT -d '{ > > "template": "logstash-*", > > "settings" : { > > "analysis": { > > "analyzer": { > > "lc_analyzer": { > > "type": "custom", > > "tokenizer": "keyword", > > "filters": ["lowercase"] > > } > > } > > } > > }, > > "mappings": { > > "_default_": { > > "properties" : { > > "User_Name" : { "type" : "string", "analyzer" : > "lc_analyzer" } > > } > > } > > } > > }' > > > > Thanks > > > > On Wednesday, January 8, 2014 3:26:03 PM UTC, Chris H wrote: > > Hi. I've deployed elasticsearch with logstash and kibana to take in > Windows logs from my OSSEC log server, following this guide: > http://vichargrave.com/ossec-log-management-with-elasticsearch/ > > I've tweaked the logstash config to extract some specific fields from > the logs, such as User_Name. I'm having some issues searching on these > fields though. > > > > These searches work as expected: > > • User_Name: * > > • User_Name: john.smith > > • User_Name: john.* > > • NOT User_Name: john.* > > But I'm having problems with Computer accounts, which take the format > "w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a > search for "w-dc-01" returns all the servers named "w-<anything>". Also I > can't do "NOT User_Name: *$" to exclude computer accounts. > > > > The mappings are created automatically by logstash, and GET > /logstash-2014.01.08/_mapping shows: > > > > "User_Name": { > > > > "type": "multi_field", > > "fields": { > > "User_Name": { > > "type": "string", > > "omit_norms": true > > }, > > "raw": { > > "type": "string", > > "index": "not_analyzed", > > "omit_norms": true, > > "index_options": "docs", > > "include_in_all": false, > > "ignore_above": 256 > > } > > } > > }, > > My (limited) understanding is that the "not_analyzed" should stop the > field being split, so that my searching matches the full name, but it > doesn't. I'm trying both kibana and curl to get results. > > > > Hope this makes sense. I really like the look of elasticsearch, but > being able to search on extracted fields like this is pretty key to me > using it. > > > > Thanks. > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "elasticsearch" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/96e74e53-54f9-48ec-9e5c-8f1354b264be%40googlegroups.com. > > > > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/22cf533e-eab8-468b-9b9a-55bbe12b3d62%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
