\[ : [ is a meta char and needs to be escaped if you want to match it literally.
(.*?) : match everything in a non-greedy way and capture it.
\] : ] is a meta char and needs to be escaped if you want to match it literally.
Sorry I cant be more help, Im missing something but not sure. Have a lot on my plate this weekend to bounce this in my Home lab. If i come across anything I hit you up here or perhaps someone could join in this convo.
message:/\[WARN\]*/ doesn’t work because with regex * means repeat the previous caracter (0 or more).
So it would match something like [WARN]]]]]]].
If you want to use regex you need to add the “.” caracter before the wildcard: message:/\[WARN\].*/
Returns nothing. I believe it’s because first search form a complete token ([WARN] as a word) but second is not. It require converting it to regex.
Exactly, it’s because it’s a word. But I think it’s not mandatory to use regex.
Can you try
(In normal mode (not regex mode) the wildcard can replace all caracters)
To expand on the quirkiness, elasticsearch and opensearch have different behavior for analyzed fields using the standard analyzer. This is important because it dictates how the text is stored in elasticsearch and opensearch, which affects how you can search for that text.
As a quick example, if you have the message “apple banana orange”, and this is stored in an analyzed field using the standard analyzer, each word will be its own token and you won’t be able to apply search filters to the message as a whole.
In graylog, the message and full_message field are analyzed so they have behave a differently then all other fields.