Assuming you have no prior mappings, your first example will put @message through a standard analyzer - i.e. it will chop it up into pieces using this analyzer:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/analysis-standard-analyzer.html So a query like this will not match (since the standard analyzer will make it into multiple terms like: ["useragent", "mozilla", "5.0"], etc.): "regexp": { "@message": "Mozilla.5.*" } But something like this will (since it matches one of the terms: "mozilla"): "regexp": { "@message": "mozill." } If instead you use something like a keyword analyzer (or not_analyzed), then the whole string is a single token (["\"userAgent\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\""]). In this case a query like this will still not match: "regexp": { "@message": "Mozilla.5.*" } But something like this will: "regexp": { "@message": ".*Mozilla.5.*" } -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d13aac4b-b71d-4cc2-ad31-afba761e43da%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
