Cannot search StackTrace field with : but works with =

I cannot search StackTrace field with the : but works with =
Examples,
Works: StackTrace=“Caused by: java.net.SocketTimeoutException: connect timed out”
Don’t work: StackTrace:“Caused by: java.net.SocketTimeoutException: connect timed out”

Use Case: Need to configure graylog alert to send out email alert based on matches in the StackTrace field. Cannot use full_message field as only StackTrace log is currently adequate to determine an issue.
Since graylog alert condition default to : and cannot set it to =, please advise on solution to configure matching alert.

Also, I am using Graylog v2.4.6+ceaa7e4

Try to escape some character:
https://docs.graylog.org/en/3.1/pages/queries.html#escaping

Why would escaping some character work where = works and : does not?
To clarify further,
Works (matches): StackTrace=“connect timed out”
Don’t work (no matches): StackTrace:“connect timed out”

Maybe this:
https://docs.graylog.org/en/3.1/pages/queries.html#syntax

Also note that message , full_message , and source are the only fields that are being analyzed by default. While wildcard searches (using * and ? ) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.

Possibly, but I’m looking for a solution.
For example, is it possible to do a RESTFUL retrieval of the matching messages through POSTMAN for eg? In that case I can write the query with = instead of : and run it through cron.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.