Hi!
We have gralog 1.2.2
We use log-file nginx. We add it in graylog using (GELF TCP) input.
In this input already setted extractors with GROK patterns help.
Below you can see the model:
grok_pattern: %{IPV4:ngnix_clientip} - - \[.*?\]
%{WORD:ngnix_method;string} %{DATA:ngnix_path;string} HTTP/.*?
"%{INT:ngnix_responsecode;short}" (?:%{INT:ngnix_pagesize}|-)
"%{DATA:ngnix_referrer;string}"
"%{DATA:ngnix_useragent;string}".*?"%{BASE16FLOAT:ngnix_pagetime;float}"
(?:"%{DATA:ngnix_website;string}"|-)
As fact we have a field ngnix_useragent and forced it in the string type.
Everything works correctly, but we have one problem.
When I do my inquiry in the search field like “message:google” - graylog
search and show me all lines where there is any info about substring
“google”
This can be in useragent base or refer base - no matter. Anyway this is OK.
But, the main problem is:
If I only search inside the field ngnix_useragent ( inquiry of type -
“ngnix_useragent:google”)
in this case graylog did not find nothing.
If I will ask in the fild detailed inquiry ( waht we have in ngnix_useragent)
- in this case graylog will find correctly.
I think Search inside the field does not works correctly which connected
with GROK ( or REGEX or nay other stuff - no matter, any way does not works)
MY MAIN QUESTION:
1.
Can we search substring inside the field? This is my mistake or this is
how graylog works?
2.
Would you be so kind help me to solve this problem.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/c980a344-c37c-4fa9-baa8-fd23e39823c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
