Search issue with double colons

intpdm · April 18, 2024, 9:26pm

Hi.

Are there any restrictions on searching in graylog?
Because i tried to find message with text having double colons ( :: ) and not get any results, but if i look by timestamp i can see it.
There is no errors in graylog or elasticsearch logs.

Environment:

elasticsearch-oss | 7.10.2
graylog-server | 4.3.8-1
mongodb-org-server | 4.4.27
Debian 10

Test message added from GELF:

echo -e ‘{“short_message”:“testing text::WITHDOUBLE.COLONS graylog”}\0’ | nc -w 1 <server_ip> 12201

How i can search word after the :: ?

Joel_Duffield · April 18, 2024, 9:53pm

My guess is that because the message field is an indexed field it ignores the puncuation (the tldr is that it breaks aparts all the words, but punctuation spacing etc is ignored.

If you wanted to search it you would need to copy the message field into another field that was set to the datatype of keyword and then you should be able to find it in that.

intpdm · April 19, 2024, 7:43am

Thanks for answer.
Regex doesn’t work for the same reason, right?

Joel_Duffield · April 19, 2024, 12:13pm

Correct, what you can do on that field though is all the “googly search things” like words not in order etc.

Topic		Replies	Views
Specific field not indexed correctly and search not working Graylog Central (peer support)	8	2591	November 12, 2020
How to search logs with graylog Graylog Central (peer support)	6	9084	August 2, 2018
Searching for a complex string (like a UUID) returns no results Graylog Central (peer support) elastic	17	1316	January 15, 2023
Graylog Search returns strange results Graylog Central (peer support)	2	493	December 6, 2017
Elasticsearch Exception & Custom Index Template Graylog Central (peer support) basic-configuration	4	679	June 23, 2022

Search issue with double colons

Related Topics