Hi,
currently only some specific message fields (message, full_message, and
source) are being analyzed during index time. This means that wildcard
searches cannot be executed for other, individual fields.
You can work around this limitation by creating an index template (
The other way to do this would be to output to something like Riemann,
particularly if you have (like we do) a very large number of hosts and
don't want to configure a stream for each host.
The other reason streams may be impractical is if you have hosts being
configured to send to Graylog
Thanks Jochen, I thought as much.
For my needs, I have two server nodes that don't normally perform any
processing and are essentially reserved as search nodes. These are the only
nodes configured for the web interface to communicate with. They are still
in my load balancer pool on the F5's
I think I need bit help with this please.
So I have 1 rule:
source must match exactly serverName
And I want the alarm triggered when this field doesn't has this value:
serverName in last 5 min, but I'm lost with alerts of streams, I selected
the next value, but nothing happend:
Alert is
Hi Pavel,
seems elasticsearch is running but can you check status with:
curl -XGET http://localhost:9200/_cluster/health?pretty
should be status green, otherwise your graylog server doesn't start.
Can you post graylog server log also?
Ciao
Alberto
On Tuesday, July 14, 2015 at 2:55:51 PM
