Graylog wildcard exclude search


(Milos Cuculovic) #1

I wold like to create a dashboard widget by adding some search results. My goal is to search for message containing “connect from unknown” and excluding messages containing “123.123.123.*”.

I tried to do it with:

message:"connect from unknown" AND NOT message:"123.123.123.*"

But messages like “connect from unknown[123.123.123.123]” are still visible.
If I change the query to

message:"connect from unknown" AND NOT message:"123.123.123.123" 

Then it works.

Note that I changed the graylog config file /etc/graylog/server/server.conf to allow_leading_wildcard_searches = true


(Milos Cuculovic) #2

Found the solution: by adding double quotes, it looks for exact search, so the wildcard is not taken into consideration. Removed the double quotes and all worked well.

message:"connect from unknown" AND NOT message:123.123.123.*

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.