Hello,
The following search finds matching messages:
message:“h_status=200”
But the following search finds no matching messages
message:“h_status=2??”
I’ve read the documentation but cannot find that numbers are treated differently from ordinary text.
So how do I search for part of a number in message text? In my search every three digit number that starts with the digit 2.
Mats-Ove
Please provide some example messages.
Messages are from IIS native log (via nxlog) and I’ve choosen to format them like this in the message (IP addresses changed):
webbprd2 IIS_www: c_user= c_ip=999.999.99.999 s_srvname=webbprd2 s_srvip=999.999.99.9 h_status=200 h_time=13239 h_reqsize=676 h_rspsize=11909 h_cmd=GET /sv/stiftelseadministration/
In short I would like to filter out all messages having h_status beginning with 4 or 5.
Hej Mats,
the important is that the numbers need to be save in Elasticsearch as numbers to be handled different. When the number is saved as string it can only be handled like a string.
I realized that the way to do this is to add extractors to the input identifying the separate strings and make fields of them that are available in the search.
Mats-Ove
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
