i try to filter my search with including a questionmark. For example i have this message:
“GET /?4a0bd970fe6ghdsq HTTP/1.1” 200 17033 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0”
And i will filter for all messages starts with: GET /?
i tryed some search patterns but get always messages back with no ? in the string.
For example my search patterns:
message:"GET" AND message: "\?"
i always receive also messages like: GET /img/…
Can anybody tell me how i can tell graylog that ? must be included?
The message field you are trying to search on is indexed in OpenSearch/Elasticsearch as a text field with the standard field analyzer. This standard analyzer removes most punctuation and makes it impossible to search for. If you parse this information out, maybe by using a pipeline, and store it in a new field, that new field will be indexed as a keyword by default, which can then be searched using a regular expression. So if you stored your GET in an http_method field and the /?4a0bd970fe6ghdsq in something like a resource field, you could search on that with a query that looked something like: http_method:GET AND resource:/\/\?.*/