AND operator works AND NOT operator does not

samhut101 · October 1, 2018, 8:05pm

Hey Everyone,

I’m perplexed here. I feel like this is very simple but It just doesn’t work, I’m totally out of ideas. I’m running a simple search using the AND NOT operator. However, It looks like the AND NOT is ignored in my search results. The part that is confusing to me is that if I change the operator to an AND, all the expected results are returned. Why would the AND operator work, but not the AND NOT operator? Thank you in advance for your help.

merceskoba · October 2, 2018, 3:42am

I got the same problem too about operators.
Do you know how to search a specific word ?

Karlis · October 2, 2018, 6:21am

Try NOT instead of AND NOT

samhut101 · October 2, 2018, 6:04pm

I tried changing it to a NOT, but it still displays the data I don’t want. I’ve used the AND NOT in other searches, and it appears to work, just not this one for some reason.

samhut101 · October 2, 2018, 6:09pm

If you want to search an exact phrase put the search in quotes
Example: message:“user login”

If you want to just search a single word, there is no need for quotes.
Example: message:example.com

jan · October 2, 2018, 6:23pm

You can read that in the documentation …

http://docs.graylog.org/en/2.4/pages/queries.html

samhut101 · October 2, 2018, 6:33pm

Hi Jan, yes I understand that. I was helping to answer merceskoba’s question.
However my problem is that the AND NOT operator is ignored. Do you know why the AND NOT does not work in this search?

winlogbeat_event_data_SubjectUserName:example AND NOT message:.tmp

If I change the search to only use an AND, it only displays .tmp files as expected.

winlogbeat_event_data_SubjectUserName:example AND message:.tmp

This leads me to believe my search criteria is correct. So why would the AND NOT operator be ignored in the first search? I’m not sure what to try next.

jan · October 2, 2018, 6:51pm

He @samhut101

I’m not sure why this does not work - what Graylog Version did you run with what version of Elasticsearch?

I would extract the information you want to filter on into a special field (like the file extension in this case) and that would enable to you to use more advanced filtering if needed.

Jan

samhut101 · October 2, 2018, 7:00pm

@jan

I’m currently running Graylog 2.4.5 and Elasticsearch version 5.6.9

I’ll try setting up an extractor the the extension and see if that works.

Thanks

frantz · October 8, 2018, 10:56am

Maybe the dot needs to be escaped.
Try “AND NOT message:\.tmp”

system · October 22, 2018, 11:03am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3 search 'AND' query returns none matching results Graylog Central (peer support)	6	670	December 2, 2019
Positive text filter combined with negative text filter? Graylog Central (peer support)	12	388	October 20, 2022
Upgrade from 2.4.6 to 2.5, ES6 - Cannot OR search anymore? Graylog Central (peer support) sidecar , winlogbeat	1	475	January 3, 2019
Specific field not indexed correctly and search not working Graylog Central (peer support)	8	2567	November 12, 2020
Searching special characters Graylog Central (peer support)	9	7596	June 3, 2020

AND operator works AND NOT operator does not

Related Topics