Hey Guillaume, while it might make sense to fire a query like this, I think it is more useful to actually make your unstructured data more structured. When you take a look at all those postfix logs you have, you will clearly see a pattern, that client=$name[$IP] is always the same... so it might make more sense to actually try to extract the ip and the hostname and put that one into several fields. This is exactly what logstash is for: getting data in, enriching and parsing it and then store it into elasticsearch. The huge advantage of such an enrichment process is of course, that querying now is really simple, as you always have the "right" content (only the hostname or only the ip) in the fields you are going to query.
You can definately build a query which mimics this behavour, parsing the logfiles appropriately and querying only the fields you intend to query might make much more sense. See http://www.elasticsearch.org/overview/logstash/ for more info... --Alex On Sat, Mar 15, 2014 at 12:02 AM, Guillaume Loetscher <[email protected]>wrote: > Hello, > > I'm trying to do a query search containing an equal ("=") character in it. > > I've got plenty of logs looking like this : > > <22>postfix/smtpd[9136]: E4A4E34AA5: > client=localhost.localdomain[127.0.0.1] > > I want to query all messages that haven't been posted from > "localhost.localdomain". > > I've looked at the query > documentation<http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html>here > and tried multiple queries in Kibana and through a "curl" command, but > no luck. > > Right now, I've did this query : -"client=localhost.localdomain", but no > luck, it keeps giving me answers with this precise string. > > I also tried to protect the "=" character with a backslash. > > How is it possible to do a query search with this character ? > > Thanks a lot, > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.com<https://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM_p-CAB6d%2B_DZp9Z0Dec4X4qntm4LJJfWxgPpkBpCe1zA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
