Hi, I am tryng to search for a value in object json field
for e.g, I have this entry:
"Details" : {
"PID" : "1234",
"pName": "calc.exe"
}
I am trying to search Details:“1234”
and I get no results, I need to get result for parameters in the field, I saw some articles here of users with same issue but they make it work some how
This is not valid json format. It should start and end with {}
Valid will be:
{"Details" : {
"PID" : "1234",
"pName": "calc.exe"
}
}
Did you post complete json value, or only part of it?
I meant that Details is the field name
the Json value is acutally:
{ “PID” : “1234”, “pName”: “calc.exe” }
check the search help in graylog.
Your string “1234”.
So you search only for a part of the string.
You need *1234*. or “1234”
And you also need to check your server.conf (If you choose the first option)
# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
allow_leading_wildcard_searches = true
You need to extract values using either JSON extractor, or pipeline rule which extact json to separate fields PID and pName. After that you can search in this field using syntax: PID: 1234
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.