Hi Dilip,
are you 100% sure that the message is in a new index, that the index
template/mapping was properly applied (see
https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-get-mapping.html),
and that it is the "message" field you were looking for (and not
"full_message" or another field)?
Cheers,
Jochen
On Monday, 2 May 2016 18:57:40 UTC+2, Dilip Muthukrishnan wrote:
>
> Hi Jochen,
>
> Thanks for your reply. I'm using graylog-1.3.4 (server). I removed and
> added an updated version of the "graylog-internal" template and then cycled
> the deflector through the web interface. The new index mapping reflects
> the changes:
>
> "message" : {
> "type" : "string",
> "analyzer" : "whitespace"
> }
>
>
> However, it doesn't appear to be reflected in the search. This message is
> from the latest index but based on this tokenization, it appears to still
> be using the old "standard analyzer":
>
> 02.05.2016 12:47:33.488 *ERROR* [Shell Script Executor Thread for cpu.sh]
> com.day.crx.core.CRXSessionImpl session# 144563 opened (103)
> java.lang.Exception: Stack Trace at
> com.day.crx.core.CRXSessionImpl$Tracker.open(CRXSessionImpl.java:212) at
> com.day.crx.core.CRXSessionImpl$Tracker.<init>(CRXSessionImpl.java:205) at
> com.day.crx.core.CRXSessionImpl.<init>(CRXSessionImpl.java:179) at
> com.day.crx.core.CRXRepositoryImpl.createSessionInstance(CRXRepositoryImpl.java:911)
>
> at
> org.apache.jackrabbit.core.RepositoryImpl.createSession(RepositoryImpl.java:959)
>
> at
> org.apache.jackrabbit.core.SessionFactory.createAdminSession(SessionFactory.java:42)
>
> at
> com.day.crx.sling.server.impl.SlingRepositoryWrapper.loginAdministrative(SlingRepositoryWrapper.java:76)
>
> at
> com.adobe.granite.monitoring.impl.ShellScriptExecutorImpl.extractScript(ShellScriptExecutorImpl.java:161)
>
> at
> com.adobe.granite.monitoring.impl.ShellScriptExecutorImpl.execute(ShellScriptExecutorImpl.java:114)
>
> at
> com.adobe.granite.monitoring.impl.ScriptMBean.invoke(ScriptMBean.java:99)
> at
> com.adobe.granite.monitoring.impl.ScriptMBean.invoke(ScriptMBean.java:158)
> at
> com.adobe.granite.monitoring.impl.ScriptConfigImpl$ExecutionThread.run(ScriptConfigImpl.java:208)
>
> at java.lang.Thread.run(Thread.java:662)
>
>
> Field terms: 02.05.2016124733.488errorshellscriptexecutorthreadforcpu.sh
> com.day.crx.core.crxsessionimplsession144563opened103java.lang.exception
> stacktraceattracker.opencrxsessionimpl.java212trackerinit205179
> com.day.crx.core.crxrepositoryimpl.createsessioninstance
> crxrepositoryimpl.java911
> org.apache.jackrabbit.core.repositoryimpl.createsessionrepositoryimpl.java
> 959org.apache.jackrabbit.core.sessionfactory.createadminsession
> sessionfactory.java42
> com.day.crx.sling.server.impl.slingrepositorywrapper.loginadministrative
> slingrepositorywrapper.java76
> com.adobe.granite.monitoring.impl.shellscriptexecutorimpl.extractscript
> shellscriptexecutorimpl.java161
> com.adobe.granite.monitoring.impl.shellscriptexecutorimpl.execute114
> com.adobe.granite.monitoring.impl.scriptmbean.invokescriptmbean.java99158
> com.adobe.granite.monitoring.impl.scriptconfigimplexecutionthread.run
> scriptconfigimpl.java208java.lang.thread.runthread.java662
>
> As you can see, it has been stripped of various characters like colons and
> parentheses.
>
>
> On Monday, May 2, 2016 at 12:36:38 PM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Dilip,
>>
>> the index mapping of Graylog is applied by the means of an index
>> template. In Graylog 2.0.0, the index template will automatically be
>> updated but in older versions you'll have to remove the index template
>> yourself for it to be recreated by Graylog.
>>
>> See
>> https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-templates.html
>>
>> for details.
>>
>> Cheers,
>> Jochen
>>
>> On Thursday, 28 April 2016 21:42:23 UTC+2, Dilip Muthukrishnan wrote:
>>>
>>> I'm trying to change the analyzer from "standard" to "whitespace". I've
>>> set the following property in my Graylog server configuration:
>>>
>>> elasticsearch_analyzer = whitespace
>>>
>>> It states that my change will be applied to new indices so I manually
>>> cycled the deflector so that it is now pointing to graylog2_1 (previously
>>> graylog2_0). However, the new index still uses the "standard" analyzer
>>> based on the mapping in Elasticsearch:
>>>
>>> "message" : {
>>> "type" : "string",
>>> "analyzer" : "standard"
>>> },
>>>
>>>
>>> How do I change the analyzer?
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/f0508462-77e1-4a5c-9f6b-3491531f9adc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
