Searching letters in messages

Hi everyone I have some difficulties with searching messages within the streams.
In my case I have connected Domain Controller to my Graylog server so via winlogbeat I am getting messages to streams in graylog.
I want to search Account name which includes letters PC.


In logs we have lots of names which include letters PC so when I am searching exact expression like in this photo(201PC3302) search query give results for exact matching but I want to search every message with letters PC.

My Search Query is ( beats_type:winlogbeat AND message:" Logon Type: 3 " AND message:"Account Name: PC ")
This query is not giving any results.

Thanks !

AND message:"Account Name: PC " makes it an exact search because of “”.

Try message:"Account Name" /.*PC.*/

The // part is a regular expression.

Hi Arie. Thanks for your response.


As you can see from photo I searched as you said however PC is still not highlighted in the message.

Sorry, Something went wrong on posting, can you check for this:

message:“Account Name” /.*PC.*/

You can mess around with regex @ https://regex101.com/

1 Like

Looks like there is a quotes issue here. If you are typing/copying/pasting directly into the forums you get quotes like these “” but Graylog (Elasticsearch and Mongo) all choke on those. Make sure you are using " quotes in all instances where you are creating queries or writing pipeline rules…

2 Likes

I found how to do it thanks for helping me.
beats_type:winlogbeat AND message:" Logon Type: 3 " AND message:“Account Name” AND message: PC
By searching like that you could find all messages which includes Letters PC. Logon Type 3 field is the Domain controller message type you could remove it if you want when searching. " quotes is not working unfortunately.

1 Like

When posting community removes ** this marks

When you post code use the </> tool in the dialog box to retain code formatting like wildcards and indentation…

AND NOT message:*PC*

By default this doesn’t work because Graylog turns leading wildcards off - too resource hungry:

from /etc/graylog/server/server.conf:

allow_leading_wildcard_searches = false

You can try via regex though:

…AND NOT /.*PC.*/

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.