btw: v0.20.2 has search result highlighting that shows you what was actually matched and why it was returned as search result.
On Tue, Apr 8, 2014 at 6:41 PM, Lennart Koopmann <[email protected]> wrote: > Please try searching for this: 1311-10013* > > The other messages that are not found have a _ not a - after the > 10013. I guess this is not being split automatically by the tokenizer. > > On Tue, Apr 8, 2014 at 10:39 AM, Denny Gebel <[email protected]> wrote: >> Hi all, >> >> we have some serious problem with the search - maybe someone can give me a >> hint or solution. Currently we see this problem with vsftpd logs. >> >> Example: >> >> I am searching for a specific client IP ("10.20.1.163"). Result is like 100+ >> messages. Resultset looks fine. See the most recent five messages below. >> >> Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client >> "10.20.1.163", "/somedir/OPC-1311-10013-20140407_230001-system.info", 26196 >> bytes, 0.72Kbyte/sec >> Mon Apr 7 23:00:11 2014 [pid 26077] [username] OK UPLOAD: Client >> "10.20.1.163", "/somedir/1311-10013_something_20140407_220000.xml", 1042 >> bytes, 0.72Kbyte/sec >> Mon Apr 7 23:00:06 2014 [pid 25919] [username] OK LOGIN: Client >> "10.20.1.163" >> Mon Apr 7 23:00:05 2014 [pid 25920] CONNECT: Client "10.20.1.163" >> Mon Apr 7 22:01:14 2014 [pid 27601] [username] OK UPLOAD: Client >> "10.20.1.163", "/somedir/1311-10013_something_20140407_210000.xml", 1047 >> bytes, 0.02Kbyte/sec >> >> >> Now I want to search for "1311-10013", which should me give at least(!) the >> three results from my search above. In fact, I'm getting ONLY one message as >> result. >> >> Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client >> "10.20.1.163", "/somedir/OPC-1311-10013-20140407_230001-system.info", 26196 >> bytes, 0.72Kbyte/sec >> >> >> Logs are transferred with logstash from the ftp server. input = file, output >> = gelf. No filter etc. Graylog/Graylog-Web: 0.20.1 >> >> >> Any suggestions? What am I doing wrong? >> >> >> Thanks, >> >> Denny >> >> -- >> You received this message because you are subscribed to the Google Groups >> "graylog2" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
