Please try searching for this: 1311-10013* The other messages that are not found have a _ not a - after the 10013. I guess this is not being split automatically by the tokenizer.
On Tue, Apr 8, 2014 at 10:39 AM, Denny Gebel <[email protected]> wrote: > Hi all, > > we have some serious problem with the search - maybe someone can give me a > hint or solution. Currently we see this problem with vsftpd logs. > > Example: > > I am searching for a specific client IP ("10.20.1.163"). Result is like 100+ > messages. Resultset looks fine. See the most recent five messages below. > > Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client > "10.20.1.163", "/somedir/OPC-1311-10013-20140407_230001-system.info", 26196 > bytes, 0.72Kbyte/sec > Mon Apr 7 23:00:11 2014 [pid 26077] [username] OK UPLOAD: Client > "10.20.1.163", "/somedir/1311-10013_something_20140407_220000.xml", 1042 > bytes, 0.72Kbyte/sec > Mon Apr 7 23:00:06 2014 [pid 25919] [username] OK LOGIN: Client > "10.20.1.163" > Mon Apr 7 23:00:05 2014 [pid 25920] CONNECT: Client "10.20.1.163" > Mon Apr 7 22:01:14 2014 [pid 27601] [username] OK UPLOAD: Client > "10.20.1.163", "/somedir/1311-10013_something_20140407_210000.xml", 1047 > bytes, 0.02Kbyte/sec > > > Now I want to search for "1311-10013", which should me give at least(!) the > three results from my search above. In fact, I'm getting ONLY one message as > result. > > Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client > "10.20.1.163", "/somedir/OPC-1311-10013-20140407_230001-system.info", 26196 > bytes, 0.72Kbyte/sec > > > Logs are transferred with logstash from the ftp server. input = file, output > = gelf. No filter etc. Graylog/Graylog-Web: 0.20.1 > > > Any suggestions? What am I doing wrong? > > > Thanks, > > Denny > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
