Case insensitive search in GROK extracted field

(Shodanshok) #1

Hi all,
I have a simple GROK extractor parsing various DATA fields, assigning custom names to each one.

In the search window, I would like to do a case insensitive search in some of these field, but I can not see how. For example, I have a field called “result” which contain the word “Accepted”. Searching for it, I need to type “result:Accepted”, because something as “result:accepted” will not work.

How can I search for “result:accepted” for any field having something like “Accepted”, “accepteD”, “accEpted”, etc?


(Jochen) #2

You could create a custom Elasticsearch index mapping for the “result” field which applies a case-insensitive analyzer.

(Shodanshok) #3

Hi, in Graylog documentation I read:

be extremely cautious and conservative about the custom index mappings!

So, as a new Graylog user, I wonder if I can search in case insensitive mode, rather tha store the messages themselves all lowercase. Any thoughts on that?


(Jochen) #4

No, that’s currently not possible with Graylog.

(Shodanshok) #5

OK. Thank you so much for the direct answer.

(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.