Ahh ok. I'll have to give the keyword analyzer a try then! Thanks, Jamil
On Friday, February 21, 2014 2:23:06 PM UTC-8, Binh Ly wrote: > > Assuming you have no prior mappings, your first example will put @message > through a standard analyzer - i.e. it will chop it up into pieces using > this analyzer: > > > http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/analysis-standard-analyzer.html > > So a query like this will not match (since the standard analyzer will make > it into multiple terms like: ["useragent", "mozilla", "5.0"], etc.): > > "regexp": { > "@message": "Mozilla.5.*" > } > > But something like this will (since it matches one of the terms: > "mozilla"): > > "regexp": { > "@message": "mozill." > } > > If instead you use something like a keyword analyzer (or not_analyzed), > then the whole string is a single token (["\"userAgent\": \"Mozilla/5.0 > (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\""]). > > In this case a query like this will still not match: > > "regexp": { > "@message": "Mozilla.5.*" > } > > But something like this will: > > "regexp": { > "@message": ".*Mozilla.5.*" > } > > > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/af0df36c-2e29-4edc-be55-ded0f86b2f5e%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
