Graylog wildcard exclude search

MilosCuculovic · September 11, 2018, 6:43am

I wold like to create a dashboard widget by adding some search results. My goal is to search for message containing “connect from unknown” and excluding messages containing “123.123.123.*”.

I tried to do it with:

message:"connect from unknown" AND NOT message:"123.123.123.*"

But messages like “connect from unknown[123.123.123.123]” are still visible.
If I change the query to

message:"connect from unknown" AND NOT message:"123.123.123.123"

Then it works.

Note that I changed the graylog config file /etc/graylog/server/server.conf to allow_leading_wildcard_searches = true

MilosCuculovic · September 11, 2018, 6:55am

Found the solution: by adding double quotes, it looks for exact search, so the wildcard is not taken into consideration. Removed the double quotes and all worked well.

message:"connect from unknown" AND NOT message:123.123.123.*

system · September 25, 2018, 6:55am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter Stream with wildcard Graylog Central (peer support)	2	472	December 16, 2023
Wildcard Search Graylog Central (peer support)	3	3696	January 14, 2022
Excluding Character when Searching Graylog Central (peer support)	2	767	February 25, 2019
Searching special characters Graylog Central (peer support)	9	8496	June 3, 2020
Search with wildcard Graylog Central (peer support)	3	2801	August 25, 2021

Graylog wildcard exclude search

Related topics