[graylog2] Re: Complex Search in a Stream
Gotcha...I was hoping that some of the more complex searches that one can write and save could simply be called and used by a stream I'll dig into what pipelines can give me in that case Thanks Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9032e0f2-99ac-4542-856b-5812994a624a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
Hi Tom, On Tuesday, 24 January 2017 20:44:53 UTC+1, Tom Powers wrote: > > What is the syntax to use a saved search in a Stream? That is eluding me > right now > I'm not sure we're talking about the same things. Saved searches are simply stored search queries which can be loaded (not their results, though): http://docs.graylog.org/en/2.1/pages/queries.html#saved-searches They are working exactly the same for streams. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5aaf136f-74fb-49a6-a7d1-b6583b470726%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
OhOK... so I have a couple ways to try out. What is the syntax to use a saved search in a Stream? That is eluding me right now Thanks TP On Monday, January 23, 2017 at 5:37:17 PM UTC-6, Tom Powers wrote: > > OK...streams and alerts for them are very cool...but it seems I can do > much more in the search field than the stream field. > > For Example if I want (EventID:4688 AND ((cscript OR wscript))) the > search is pretty straightforward > > How can I do that in a Stream? If I set the EventID field AND Cscript > match (with 2 rules), then how do I get the OR wscript match? > > Seems like it's almost there...but just not quite. The Search works > great, but if I want to alert off this, then I'm forced into 2 streams? > EventID:4688 AND cscript and the Other EvenID:4688 AND wscript this > would seem cumbersome at best > > Where am I going off the rails here? > > Thanks > > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7b329f79-2a46-4854-b0c3-3c6020cafe80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
Hi Tom, On Tuesday, 24 January 2017 16:30:50 UTC+1, Tom Powers wrote: > > So...if I am understanding you correctly, I can NOT call a saved search in > a stream at all. > Sure, saved searches can also be used in streams (as they are simply that: saved search queries). So...Pipelines are the answer and not streams in this case? > The message processing pipelines are simply an alternative to the old Extractor, Drools Rules, and Stream Rules functionality. You can write a pipeline rule which adds your messages to one or more streams according to your conditions. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/05983b83-aba5-4e36-8fe1-152d40a5ad9f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
I guess that is what is confusing. I see some references in posts and Github change posts that mention calling saved searches in a stream For example: https://groups.google.com/forum/#!topic/graylog2/7uHfdWJIeGg So...if I am understanding you correctly, I can NOT call a saved search in a stream at all. So...Pipelines are the answer and not streams in this case? Thanks TP On Monday, January 23, 2017 at 5:37:17 PM UTC-6, Tom Powers wrote: > > OK...streams and alerts for them are very cool...but it seems I can do > much more in the search field than the stream field. > > For Example if I want (EventID:4688 AND ((cscript OR wscript))) the > search is pretty straightforward > > How can I do that in a Stream? If I set the EventID field AND Cscript > match (with 2 rules), then how do I get the OR wscript match? > > Seems like it's almost there...but just not quite. The Search works > great, but if I want to alert off this, then I'm forced into 2 streams? > EventID:4688 AND cscript and the Other EvenID:4688 AND wscript this > would seem cumbersome at best > > Where am I going off the rails here? > > Thanks > > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7670a081-c907-4e62-a337-4d79d02d23c5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
Hi Tom, On Tuesday, 24 January 2017 14:49:58 UTC+1, Tom Powers wrote: > > The rule only seems to give me the one category/operator/criteria choice > per rule. So in the search abovewhat would the rule structure look like > to get the same result? > You can use multiple rules per stream and either require only 1 of them match (OR) or all of them match (AND) for a message to be sent into that stream. Unfortunately it's currently not possible* to combine stream rules with different logical operators. *: You can use the message processing pipelines to formulate arbitrary rules: http://docs.graylog.org/en/2.1/pages/pipelines.html Cheers, Jochen > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/93baed2d-24b5-4630-ac6e-209b9aa96d1e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
I may have the terms off here In the stream rules, I can select a field...Event ID for exampleselect the operatormatch exactly for example, and then the field of what I want it to match...4688 for example The rule only seems to give me the one category/operator/criteria choice per rule. So in the search abovewhat would the rule structure look like to get the same result? Thanks for bearing with my noob-Ness Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9cbe6e60-4c0d-47fc-8aa7-820ca71d9aa9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
Hi Tom, On Tuesday, 24 January 2017 00:37:17 UTC+1, Tom Powers wrote: > > OK...streams and alerts for them are very cool...but it seems I can do > much more in the search field than the stream field. > What exactly is the "stream field"? The search bar in the Universal Search and in a stream is using the same query language and has the same capabilities. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/192eee66-1a92-4ec1-8350-14b26b7082eb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
