Hi!
We have gralog 1.2.2
We use log-file nginx. We add it in graylog using (GELF TCP) input.
In this input already setted extractors with GROK patterns help.
Below you can see the model:
grok_pattern: %{IPV4:ngnix_clientip} - - \[.*?\]
%{WORD:ngnix_method;string} %{DATA:ngnix_path;string} HTTP/.*?
"%{INT:ngnix_responsecode;short}" (?:%{INT:ngnix_pagesize}|-)
"%{DATA:ngnix_referrer;string}"
"%{DATA:ngnix_useragent;string}".*?"%{BASE16FLOAT:ngnix_pagetime;float}"
(?:"%{DATA:ngnix_website;string}"|-)
As fact we have a field ngnix_useragent and forced it in the string type.
Everything works correctly, but we have one problem.
When I do my inquiry in the search field like “message:google” - graylog
search and show me all lines where there is any info about substring
“google”
This can be in useragent base or refer base - no matter. Anyway this is OK.
But, the main problem is:
If I only search inside the field ngnix_useragent ( inquiry of type -
“ngnix_useragent:google”)
in this case graylog did not find nothing.
If I will ask in the fild detailed inquiry ( waht we have in ngnix_useragent)
- in this case graylog will find correctly.
I think Search inside the field does not works correctly which connected
with GROK ( or REGEX or nay other stuff - no matter, any way does not works)
MY MAIN QUESTION:
1.
Can we search substring inside the field? This is my mistake or this is
how graylog works?
2.
Would you be so kind help me to solve this problem.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/c980a344-c37c-4fa9-baa8-fd23e39823c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
