Hello, Any idea?
On 25 avr. 2014, at 13:45, Patrick Proniewski wrote: > Hello, > > Disclaimer: I'm a total newbie with Elasticsearch. I've installed a dedicated > ES 1.1.0 server (FreeBSD port), Logstash 1.4.0 (and it's bundled Kibana 3.x). > Everything is working fine, except some particular searches. > > I'm indexing server logs (postfix, apache, and so on), with some grok pattern > matching. My problem arise when I try some queries, either in Kibana or in > Sense interface. In few of my postfix log lines strings "a79.e.ipso1978.fr" > or "e.ipso1978.fr" appear: > > Apr 24 06:26:53 rack postfix/smtpd[73065]: 7F32D47C: > client=localhost[127.0.0.1], orig_client=a79.e.ipso1978.fr[178.32.165.79] > Apr 24 06:26:53 rack postfix/smtpd[73057]: ... from=<[email protected]> > to=... helo=<e.ipso1978.fr> > > And a vast majority of log lines does not read either strings. > Each line is store verbatim into a field named "message", I have more fields > of course corresponding to various patterns extracted. > > Doing a search for a79.e.ipso1978.fr (w/o quotes) in Kibana returns 21048 > results: absolutely not good. > a79.e.ipso1978.fr* (w/o quotes) : 0 result, not good. > "a79.e.ipso1978.fr" (w quotes) in ES returns 4 results : good. > "79.e.ipso1978.fr" : 0 result, not good. > ".e.ipso1978.fr" : 10 results, good. > "e.ipso1978.fr" : 10 results, good. > ".ipso1978.fr" : 0 result, not good. > ipso1978 : 0 result, not good. > *ipso1978 : 10 results, good. > *ipso1978.fr : 0 result, not good. > "ipso1978" : 0 result, not good. > > Basically, I expect any of these search to return (only) every log lines > containing the query (as would do grep, awk...). > Obviously, I'm missing something here. I don't understand why a simple string > search can go so wrong. I'm struggling with this for more than a day now. It > looks like it's not a Kibana problem, because I get the same irrelevant > results using Sense. > > Any help is greatly appreciated, > Patrick > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/EFE80EB8-E6C7-4F46-A522-B2AB915BEEFB%40patpro.net. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/B6178425-6BFF-4688-AC43-0B5F257725C5%40patpro.net. For more options, visit https://groups.google.com/d/optout.
