which should NOT show up at all. We only need the lines containing “|ERROR|”
2. Describe your environment:
OS Information: Ubuntu 20.04 LTS
Package Version: GL 4.3.9 + OpenSearch 1.3.6
Service logs, configurations, and environment variables:
Does not apply - I guess
3. What steps have you already taken to try and solve the problem?
I read several pages where it’s stated that OpenSearch/ElasticSearch are case-insensitive:
which is nice if you want to use some JSON-base query. But the idea is to get case-sensitive results from the “search” field on Graylog.
4. How can the community help?
Can someone please clarify whether the Graylog searches are case-sensitive or not? If they are, how should I search to get only those lines where “|ERROR|” appears?
a) I can change from elasticsearch_analyzer = standard
to elasticsearch_analyzer = whitespace
in /etc/graylog/server/server.conf and restart Graylog to apply changes. This way, search results won’t be lowercased.
b) This will only be true for newly created indices after the elasticsearch_analyzer has been changed but old indices won’t benefit from that change.
I havent done this before but I would imagine from my other troubelshoot experences, try manually rotating/recalculate the index set from the Web UI. Not sure if it will work in your case.
Maybe change your search to look for |ERROR| regex style? It’s interesting that the search is not picking up the pipes and thereby finding the lowercase error.
namespace: foo\-bar AND message:/\|ERROR\|/
Alternatively you can parse out the ERROR into it’s own field ahead of time with an Extractor or in the pipeline…
it seems like using regexes to match lines with “|ERROR|” (w/o quotes) could be the way to go… however, I got the following results:
^.*(?=\|ERROR\|).*$ <- GL complains with wrong syntax
^.*\|ERROR\|.*$ <- GL complains with wrong syntax
^[-\d\ :.]+\|ERROR.+? <-- GL complains with wrong syntax
\d+\|ERROR\| <- OK, but lines with lowercase "error" are still shown
\|ERROR\| <- OK, but lines with lowercase "error" are still shown
Oddly enough, they do work perfectly well in regex101.com
So I guess it has to do with the standard analyzer which is set by default… the problem is that it cannot be changed for the existing indices, neither from the GUI nor from the config file… or am I overseeing the obvious?
Yea, I forget message: field isn’t searchable like the rest:
If you are interested in the messages that contain “|ERROR|” over time it is best to break out the information with extractors and/or pipeline as the data comes in.
