we have tried hard to find something on this matter but mostly we found issues about this with “grok patterns”.
Searching extracted fields is no problem at all with normal regex expressions but we have a lot of trouble search the full_message and message entries. Most of the documentation is all about extracted fields and not the (full_)message entries. We need do search in message for strings like “john”:“doe” or entries like == or <= but as soon as we try to add the ",= or < Graylog either hangs or we don’t get any results. Escaping it with \ doesn’t help. Same outcome…
how you can search for the data depends how the message is split into terms. Graylog reveals that by selecting the triangle right to the message and the action show terms. That will show you how you are able to find the data - as this is how elasticsearch has split that.
Thanks for your tipp. I didn’t know that. But that leaves me still with some questions:
We have a field “source” that has for example a system name xyz-abc123 in it. Source shows me the value “xyz-abc123”, terms shows me “xyz abc123” but I can still search with source:xyz-abc123 or source:/xyz-abc123/
In the message field we have a long string that contains something like …blablabla “time_total”:“654321” blablabla… message shows me the string as mentioned, terms show me … time_total 654321 … Now we would like to search something like all the “time_totals” which are follow by a number with 4 to 6 digits. In regex I would write something like message:/“time_total”:"[0-9]{4,6}"/ How do the terms help me now to form my regex?
