I am stuck with creation of filters using filebeat_log_file_path: with multiple values to search from various locations at the same time. The path names are similar to each other, so to search a particular message from all such locations I have used a * wild-card which does not help me by providing expected output.
Please have a look at the below snippet which will help to understand the issue.
filebeat_log_file_path: /data/logs/trial11app0*/ AND message:“DECLINE”
Here, I am trying to search the message “DECLINE” from multiple paths like “/data/logs/trial11app01”, “/data/logs/trial11app02”, “/data/logs/trial11app03” and “/data/logs/trial11app04” where by I have kept my local logs.
The search works when I enter the below query for each path:
filebeat_log_file_path: /data/logs/trial11app01/ AND message:“DECLINE”
filebeat_log_file_path: /data/logs/trial11app02/ AND message:“DECLINE”
filebeat_log_file_path: /data/logs/trial11app03/ AND message:“DECLINE”
filebeat_log_file_path: /data/logs/trial11app04/ AND message:“DECLINE”
Is there any way that it can work without any problem by using any wild-card like * or anything else?
In addition it makes a difference how you have stored and saved the data in elasticsearch - without that knowledge it is nearly impossible to give you a solution at hand. You should check really the docs first.
I tried to modify my query by referring the documentation link you shared.
Below is the modified filter that gave me the expected results:
message:“DECLINE” AND (filebeat_log_file_path:/data/logs/trial11app01 OR filebeat_log_file_path:/data/logs/trial11app02 OR filebeat_log_file_path:/data/logs/trial11app03 OR filebeat_log_file_path:/data/logs/trial11app04)
Request you to please help me with some idea which can reduce the size of my query. I am refering to the individual reference of the path_names that I have to write explicitly .i.e. trial11app01,trial11app02,trial11app03 and trial11app04.
