The search query logic seems to have changed since upgrading to Graylog v3, ES v6.7 and now running into issues when trying to search for 2 different fields using AND, eg. FieldA: Foo AND FieldB: Bar, the search returns results which do not match both of the fields.
This seems to happen when the extracted fields do not exist against all of log messages, and results do not contain one of the extracted fields in the search.
If you search for either of the fields on their own they return the correct results matching the search.
Can you please advise whether this is expected behaviour or a bug? If its expected, are there any settings I can change to modify this search behaviour?
Please let me know if you need any more information.
Thanks
My current Graylog version is 3.1.2, however i have observed this behaviour in all previous versions since 3.0.0-2.
This occurs when searching from from the Search page, and also when searching within Streams.
I have not seen this behaviour so far using the views, however I have not tested this.
Please let me know if you need any more info.
Thanks
I have tried the search in both ways, with the same results: fieldA:value AND fieldB:]value fieldA:[SPACE]value AND fieldB:[SPACE]value
I also tried combinations of using quotes, ', " etc. with no luck, but I have however noticed that if I escape the value using / the search does work correctly: fieldA:/value/ AND fieldB:/value/
This behaviour doesn’t seem right, and is confusing for our users, do you know if there are any config options that would cause this or is it a bug?
Thanks
Without knowing exactly what you try to search in what data it is just guessing from my end. In addition - as this is nothing that pops up from many users, I must admit it might be a usage problem.
