When using Search, I want to filter only through my custom field DstPrt, but it shows results from origin message instead.
Graylog server is receiving local firewall logs from Windows stations in form of a string message. I am using a grog-pattern as extractor, spliting the message into several fields with different types. I then list through these in a Dashboard which shows my fields with highlighted values and original message in a smaller font. Now when I try to filter through one of those fields, for example DstPrt >= 49152 or DstPrt: {49152 TO 65555}, where DstPrt is type INT, I am getting results that dont belong. But if I filter like “Action = DROP” DROP is type WORD for example, then it works fine.
Can you share an example query? Also, can you confirm the field type for DstPrt is an interger or long? You can use the ‘fields’ button on the search page to find the field and view its type:
1 Like
Hi Drew. So I was checking the data type and in the fields and it says “String”? Now the only place I know I have set data type is in grok-pattern which you can look at in attached picture. I have also attached a query results picture. Can you help me with this? Thanks.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.