Hi,
I currently have microsoft IIS logs shipping into Graylog with extractors for each field. What I’m looking for is a way to search for something like:
source:iis-vm-abc AND _exists_c-ip AND NOT sc-status:a{200,399}
I’m basically look for:
Logs are from IIS abc
The public source IP exists
The sc-status isn’t a 200-399 response (I’m after 400 -> 599)
Any idea how I can regex the last bit?
Thanks!
It depends how you have seperated the information into single fields and if those fields are saved as number or string.
Number search would be easy ( http://docs.graylog.org/en/2.4/pages/queries.html#syntax ) and would be the prefered option.
What is your elasticsearch mapping for the fields you search in?
Thank you,
It’s a number field. my nxlog config is as follows:
–
–
I’ll take a look at the guide and see if I can get it to work
Perhaps I have it wrong? Current error:
Can only use regexp queries on keyword and text fields - not on [sc-status] which is of type [long]This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.