Search with wildcard

colttt · August 10, 2021, 12:52pm

Hello,

I read all the previous posts but it still doesn’t work…
my search query is:
facility:"user-level" AND _exists_:switch_lognname AND NOT (message:"General.*logout.*" OR switch_lognname:NTP)
the message looks like this:
General [meta sequenceId=1040] BOMSecurity: SSH logout by admin from src IP 172.16.100.1 from src MAC 609c.xxxx.yyyy from PRIVILEGED EXEC mode using DSA as Server Host Key.
the problem is, that I still see this message, also when I search for AND NOT mesage:General*logout* when I remove the word logout it works, so why I can’t search with wildcard and two words?

gsmith · August 11, 2021, 12:36am

Have you tried configuring this?

https://docs.graylog.org/en/4.1/pages/configuration/server.conf.html#:~:text=allow_leading_wildcard_searches%20%3D%20false

If so, what happened?

colttt · August 11, 2021, 7:26am

Hi gsmith,
I’ve configured this, but nothing happens, its still the same result, where I see General… logout… so I guess something is wrong with my syntax or it’s a bug

system · August 25, 2021, 7:26am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Search vs curl search dramatically different results Graylog Central (peer support) curl	1	95	March 22, 2024
Queries not working properly? Graylog Central (peer support)	3	1713	May 14, 2018
Allow non-admin users to search in all available streams at the same time Graylog Central (peer support)	2	861	June 20, 2018
New Graylog install, AD users not found Graylog Central (peer support)	6	543	December 3, 2020
API Authorization error Graylog Central (peer support)	9	3428	December 14, 2017

Search with wildcard

Related Topics