Custom fields are searchable?

leonardodg · March 13, 2017, 1:48pm

Hi,

I created a new field called history_cmd using a extractor, but I noticed I can’t use this field to search (history_cmd: “ls -l”), in the graylog documentation I found 2 information about search, but I still don’t understand if new fields created by a extractor are searchable…

P.S. If I am using message: field, the search works very well.

Link http://docs.graylog.org/en/2.2/pages/queries.html

The search syntax is very close to the Lucene syntax. By default all message fields are included in the search if you don’t specify a message field to search in.

Also note that message, full_message, and source are the only fields that are being analyzed by default. While wildcard searches (using * and ?) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.

leonardodg · April 11, 2017, 12:38pm

I still having this issue, someone can help?

jan · April 13, 2017, 7:28am

Hej Leonardo,

you might want to define a custom index mapping.

regards
Jan

leonardodg · April 13, 2017, 6:37pm

Hi,

First of all, thanks Jan

I read the link, and this only will affect new index created by graylog? Is there any way to apply to current index?

jan · April 14, 2017, 12:05pm

Hej,

yes the custom mapping is only for new indices - please use your preferred search to find how to change the mapping of elasticsearch indices.

thank you

Topic		Replies	Views
Specific field not indexed correctly and search not working Graylog Central (peer support)	8	2900	November 12, 2020
Searching Custom JSON Fields Graylog Central (peer support)	3	5236	February 14, 2018
What are analyzed fields? Graylog Central (peer support)	9	5369	May 16, 2018
Search problem on custom fields Graylog Central (peer support)	1	662	May 3, 2017
Field not analyzing Graylog Central (peer support)	10	947	August 30, 2021

Custom fields are searchable?

Related topics