Leading wildcard search generates error 500

Not sure if this is a bug or a configuration error, so I thought I would start here.

The documentation for V3 is unchanged from V2.x
http://docs.graylog.org/en/3.0/pages/queries.html#syntax
Which states that to enable leading wildcard searches, add the following to the configuration file

allow_leading_wildcard_searches = true

I have added that to /etc/graylog/server/server.conf, but it hasn’t made any difference.

Any time I perform a search, if the query is “*something” I get an error 500

Error Message:
Unable to perform search query Failed to parse query [*2523]Failed to parse query [*2523]
Details:
Failed to parse query [*2523]
Failed to parse query [*2523]
Search status code:
500
Search response:
cannot GET https://my.server.com:9000/api/search/universal/relative?query=%2A2523&range=0&limit=150&sort=timestamp%3Adesc (500)

I get this error regardless if I search just anywhere (as above) or if I search a specific field.

The configuration file does not already have a section for this option in it, unlike all of the other options - I’m wondering if the method of configuring this has changed in V3?

(I am new to Graylog, and have started on V3, all recently downloaded in the last week or so)

Any help or suggestions welcome - In particular, we need to be able to search our “client_user_id” field for *userid* due to the varied way it can be represented.

that is a known issue that will be fixed soon - as a PR is already given: https://github.com/Graylog2/graylog2-server/pull/5730

Thanks jan,

Do you know if the config file entry will still be required once the fix is released?

For anyone else who has this issue, I realised that a regex search will meet our needs eg

client_user_id:/.*userid.*/

This gives us the result we were looking for

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.