Hi, currently only a few message fields are being analyzed by default (source, message, and full_message) which enables wildcard searches (like *vowel*). If you want to analyze the url message field as well, you'll have to create a matching index template in Elasticsearch, see https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-templates.html for details.
Cheers, Jochen On Wednesday, 9 September 2015 15:28:59 UTC+2, DH wrote: > > Hi All > > I'd like to search within a field that has been extracted but I cant find > the correct syntax to make it work. For example: > > I can drill down to this: "source:router AND user:test1 AND > url:http\:\/\/www.voweletics.com > \/api\/census\/RecordHit\?crumb=f4b06f2a67" > > But what I want to search for is this: "source:router AND user:test1 > AND url:(vowel)" and return all the values that contain "vowel" in the > url. > > This didnt work either: "source:router AND user:test1 AND url:(*vowel*)" > > Looking for some advice.... > > ~D > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c0628c27-4672-4a61-bc95-90bb0a9d431a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
