Thanks, everybody. It does look like the issue is with the "lowercase_expanded_terms". I've also discovered that logstash by default creates both an analyzed and non-analyzed field, which helps a bit.
However, I've worked around my specific issue (differentiating Windows User and Computer accounts) in logstash by extracting them into separate fields. Thanks On Wednesday, January 8, 2014 3:26:03 PM UTC, Chris H wrote: > > Hi. I've deployed elasticsearch with logstash and kibana to take in > Windows logs from my OSSEC log server, following this guide: > http://vichargrave.com/ossec-log-management-with-elasticsearch/ > I've tweaked the logstash config to extract some specific fields from the > logs, such as User_Name. I'm having some issues searching on these fields > though. > > These searches work as expected: > > - User_Name: * > - User_Name: john.smith > - User_Name: john.* > - NOT User_Name: john.* > > But I'm having problems with Computer accounts, which take the format > "w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a > search for "w-dc-01" returns all the servers named "w-<anything>". Also I > can't do "NOT User_Name: *$" to exclude computer accounts. > > The mappings are created automatically by logstash, and GET > /logstash-2014.01.08/_mapping shows: > > "User_Name": { > > "type": "multi_field", > "fields": { > "User_Name": { > "type": "string", > "omit_norms": true > }, > "raw": { > "type": "string", > "index": "*not_analyzed*", > "omit_norms": true, > "index_options": "docs", > "include_in_all": false, > "ignore_above": 256 > } > } > }, > > My (limited) understanding is that the "not_analyzed" should stop the > field being split, so that my searching matches the full name, but it > doesn't. I'm trying both kibana and curl to get results. > > Hope this makes sense. I really like the look of elasticsearch, but being > able to search on extracted fields like this is pretty key to me using it. > > Thanks. > > > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/1746973d-75ba-4dbd-a026-f5bfce663899%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
