Search specific wording but the result is not specific


I tried search with specific wording but the result is not as expected

source:dps-acsw-fd1.2 AND message:4/0/6

tried also below search wording but still no luck, in fact it has different result with the first one

source:dps-acsw-fd1.2 AND message:4\/0\/6

what should I do to make it specific?
This is cisco syslog and I’m using rsyslog on the graylog server, don’t have any extractor


(Dio99) #2

source:dps-acsw-fd1 AND message:“4/0/6”
source:dps-acsw-fd1 AND “GigabitEthernet4/0/6”

source:dps-acsw-fd1 AND “4/0/6”


thanks for replying,
I know I can filter using the full string such as “GigabitEthernet4/0/6” but I’m avoiding too specific when searching, sometimes is not Gigabit but TenGigabitEthernet0/1, and sometimes its Ethernet1/2 depends on the device series (which sometimes we do not know which cisco series is this).
I expect graylog can filter with just a simple search like grep on linux, so when it found string contains 4/0/6 it will show the result, is there any way to do it?

still no luck:



there mistakes,
you try to find not a word, just end of the word, use “*4/0/3” if you set “allow_leading_wildcard_searches = true” in GL server.conf
Graylog or elasticsearch doesn’t handle the “-” in hostname well, it can cause problems sometimes
You have to escape the “/” and “-” also


Hi, thanks for replying

okay done as you suggested and restarted the GL server:

I know “-” and “/” should be escaped with backslash but since the search result still showing from the right hostname I don’t bother using that, but okay I’ll use that and still no luck:


I suggest play it with step-by-step
change only one thing.
leave the hostname filter first
as I see, you have a “,” at the end, so myabe try to play *IF_NAME*, with or without escape characters. then try *IFNAME,
after that, you can try the hostname. I have really bad experience this topic (and I also saw some post in this forum too, so try to use *fd1.2 at first.


okay the message is what matters
why is this happening? is this because cisco syslog not comply to some sort of RFC?
this makes graylog useless for us, searching is the main feature of log collector

still no luck :frowning:
just suggest me any pattern I’ll report back to you (I’ve tried many though)


No, a lot devices doesn’t use the standards.
read,read,read. eg in another topic there is a link for cisco settings.

Play, it is a community support, we like to help, but we won’t do it instead of you.

Another topic, if you want to search for port number a lot of time, export is with extractor.


Already tried using cisco plugin that extract the message, the result is still the same. The problem is on GL search function not on the received syslog message.
Yeah I don’t work only on port number though, it’s just an example.

If there’s a workaround it would really help us as a network guy
many thanks


report a bug if you have enough information to prove it is.
As I see you have problems with special characters, and you give it up.


It’s not a bug, it works as dev expected.
I know it has special char, as you can see on previous post I tried escape it according to the documentation.
Anyway many thanks for the help macko003, really appreciate it.
I’ll keep trying.


I can suggest to use a pipeline to copy the interface to separate field, and if you also remove the special chars, it could help.
eg. convert GigabitEthernet1/2/3, -> GE123

(system) #14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.