Hello, Disclaimer: I'm a total newbie with Elasticsearch. I've installed a dedicated ES 1.1.0 server (FreeBSD port), Logstash 1.4.0 (and it's bundled Kibana 3.x). Everything is working fine, except some particular searches.
I'm indexing server logs (postfix, apache, and so on), with some grok pattern matching. My problem arise when I try some queries, either in Kibana or in Sense interface. In few of my postfix log lines strings "a79.e.ipso1978.fr" or "e.ipso1978.fr" appear: Apr 24 06:26:53 rack postfix/smtpd[73065]: 7F32D47C: client=localhost[127.0.0.1], orig_client=a79.e.ipso1978.fr[178.32.165.79] Apr 24 06:26:53 rack postfix/smtpd[73057]: ... from=<[email protected]> to=... helo=<e.ipso1978.fr> And a vast majority of log lines does not read either strings. Each line is store verbatim into a field named "message", I have more fields of course corresponding to various patterns extracted. Doing a search for a79.e.ipso1978.fr (w/o quotes) in Kibana returns 21048 results: absolutely not good. a79.e.ipso1978.fr* (w/o quotes) : 0 result, not good. "a79.e.ipso1978.fr" (w quotes) in ES returns 4 results : good. "79.e.ipso1978.fr" : 0 result, not good. ".e.ipso1978.fr" : 10 results, good. "e.ipso1978.fr" : 10 results, good. ".ipso1978.fr" : 0 result, not good. ipso1978 : 0 result, not good. *ipso1978 : 10 results, good. *ipso1978.fr : 0 result, not good. "ipso1978" : 0 result, not good. Basically, I expect any of these search to return (only) every log lines containing the query (as would do grep, awk...). Obviously, I'm missing something here. I don't understand why a simple string search can go so wrong. I'm struggling with this for more than a day now. It looks like it's not a Kibana problem, because I get the same irrelevant results using Sense. Any help is greatly appreciated, Patrick -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/EFE80EB8-E6C7-4F46-A522-B2AB915BEEFB%40patpro.net. For more options, visit https://groups.google.com/d/optout.
