Hi Chris, Could you try to escape “-“ in query for “not_analyzed” field?
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#_reserved_characters I hope this helps. Regards, ------------ Jun Ohtani joht...@gmail.com blog : http://blog.johtani.info twitter : http://twitter.com/johtani 2014/01/09 17:20、Chris H <chris.hemb...@gmail.com> のメール: > Hi, a bit more information. > > I tried adding a custom analyzer based off a recommendation I saw online > somewhere. This partly works in that it's not tokenising. But I can't do > wildcard searches in Kibana on the fields, and they're now case sensitive :( > > curl localhost:9200/_template/logstash-username -XPUT -d '{ > "template": "logstash-*", > "settings" : { > "analysis": { > "analyzer": { > "lc_analyzer": { > "type": "custom", > "tokenizer": "keyword", > "filters": ["lowercase"] > } > } > } > }, > "mappings": { > "_default_": { > "properties" : { > "User_Name" : { "type" : "string", "analyzer" : "lc_analyzer" > } > } > } > } > }' > > Thanks > > On Wednesday, January 8, 2014 3:26:03 PM UTC, Chris H wrote: > Hi. I've deployed elasticsearch with logstash and kibana to take in Windows > logs from my OSSEC log server, following this guide: > http://vichargrave.com/ossec-log-management-with-elasticsearch/ > I've tweaked the logstash config to extract some specific fields from the > logs, such as User_Name. I'm having some issues searching on these fields > though. > > These searches work as expected: > • User_Name: * > • User_Name: john.smith > • User_Name: john.* > • NOT User_Name: john.* > But I'm having problems with Computer accounts, which take the format > "w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a > search for "w-dc-01" returns all the servers named "w-<anything>". Also I > can't do "NOT User_Name: *$" to exclude computer accounts. > > The mappings are created automatically by logstash, and GET > /logstash-2014.01.08/_mapping shows: > > "User_Name": { > > "type": "multi_field", > "fields": { > "User_Name": { > "type": "string", > "omit_norms": true > }, > "raw": { > "type": "string", > "index": "not_analyzed", > "omit_norms": true, > "index_options": "docs", > "include_in_all": false, > "ignore_above": 256 > } > } > }, > My (limited) understanding is that the "not_analyzed" should stop the field > being split, so that my searching matches the full name, but it doesn't. I'm > trying both kibana and curl to get results. > > Hope this makes sense. I really like the look of elasticsearch, but being > able to search on extracted fields like this is pretty key to me using it. > > Thanks. > > > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to elasticsearch+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/96e74e53-54f9-48ec-9e5c-8f1354b264be%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out.
signature.asc
Description: Message signed with OpenPGP using GPGMail
