Custom fields are searchable?

leonardodg · March 13, 2017, 1:48pm

Hi,

I created a new field called history_cmd using a extractor, but I noticed I can’t use this field to search (history_cmd: “ls -l”), in the graylog documentation I found 2 information about search, but I still don’t understand if new fields created by a extractor are searchable…

P.S. If I am using message: field, the search works very well.

Link http://docs.graylog.org/en/2.2/pages/queries.html

The search syntax is very close to the Lucene syntax. By default all message fields are included in the search if you don’t specify a message field to search in.

Also note that message, full_message, and source are the only fields that are being analyzed by default. While wildcard searches (using * and ?) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.

leonardodg · April 11, 2017, 12:38pm

I still having this issue, someone can help?

jan · April 13, 2017, 7:28am

Hej Leonardo,

you might want to define a custom index mapping.

regards
Jan

leonardodg · April 13, 2017, 6:37pm

Hi,

First of all, thanks Jan

I read the link, and this only will affect new index created by graylog? Is there any way to apply to current index?

jan · April 14, 2017, 12:05pm

Hej,

yes the custom mapping is only for new indices - please use your preferred search to find how to change the mapping of elasticsearch indices.

thank you

Topic		Replies	Views
Searching Custom JSON Fields Graylog Central (peer support)	3	4957	February 14, 2018
Search problem on custom fields Graylog Central (peer support)	1	635	May 3, 2017
Extracted fields are not searchable Graylog Tech Challenges	3	823	August 20, 2021
Regex search in message field Graylog Central (peer support)	4	1056	February 23, 2021
How to search by custom field property Graylog Central (peer support)	6	4395	November 29, 2018

Custom fields are searchable?

Related Topics