I am using the foollowing config file
filter{
grok{
match=>[
"message",
"(?:\?|\&)C\=%{DATA:kw}\&%{DATA}\sT\s%{DATA:town}\sS\s%{WORD:state}\s%{DATA}%{IP:ip}"
]
}
grok{
match=>[
"message",
"(?:\?|\&)SRC\=%{DATA:src}(?:\&|$)"
]
}
}
output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}
And I thought "kw", "town", "state", etc. will be fields in elastic search.
But trying
http://localhost:9200/_search?q="town:* AND state:*"
I am getting
{"took":5,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"*total":0*,"max_score":null,"hits":[]}}
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b99b5f5a-9063-4970-8da2-106efc5de196%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
