Search for greater than is ignored

Hello!

We have in our logfile message like this.
Interface: Read orders took 93476 ms, Read 26 items
We want to filter out the milliseconds and check
whether these are greater than 15 minutes or 900000 milliseconds.
For this I wrote a Grokpattern
%{WORD:source}%{SPACE}%{NUMBER:duration:int}%{SPACE}%{WORD:ms}.\s%{WORD:action}
This one works quite well so far. But unfortunately the > is ignored.
When I use the search with message: "Read orders took" AND duration:>900000
will not be filtered but all those with values like 94543 will be displayed
I suppose it is because “duration” is kept as datatype unkown.

What am I doing wrong here?

Greetings georg

You use wrong format : instread of ; before int
%{NUMBER:duration;int}

Hello,

Thanks for your hint

OK I have corrected it. But now the number is recognized as a string instead of a number

%{WORD:source}%{SPACE}%{NUMBER:duration;int}%{SPACE}%{WORD:ms}.\s%{WORD:action}

It’s how Elastic Search works, if you first save value as string (it guests by value), another values will be same type. You can create own custum mapping for this field:

Or use another name, which was not used before.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.