Hi, you could probably use the pattern analyzer <https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis-pattern-analyzer.html> to split the message terms but that would of course impact all ingested messages, not just the ones you've mentioned as an example.
If these fields have a specific meaning, you might want to use a Grok or RegEx extractor to copy them into specific message fields, so that you can specifically query for them. See http://docs.graylog.org/en/2.1/pages/extractors.html for details. Cheers, Jochen On Tuesday, 10 January 2017 00:43:40 UTC+1, Zhiyuan Lei wrote: > > I use elasticsearch_analyzer = standard in my graylog,and I have a message > like this > > 2017-01-09 20:02:50,197 [x/x] - > [(x,aa.bb,Y,645810f41483963370181610719839,1ms)] > > Expected Behavior > > expcected all terms like > > Field terms: xxx Y 645810f41483963370181610719839 1ms > > the last comma should spit the last words. > Current Behavior > > Field terms: xxx Y 645810f41483963370181610719839,1ms > > but last words 645810f41483963370181610719839,1ms was not splited. > > > > maybe I can set stopwords to solve this problem, according this > https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html > > > does anyone have an idea? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8f3029dd-c95a-417b-ba1b-82371cff6119%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
