I am completely new to Graylog (and siem systems on the whole) and am trying to understand the searching language but having some difficulty.
I have a few questions and issues that I would be much appreciative if anyone can answer:
- regarding this sentence from http://docs.graylog.org/en/2.2/pages/queries.html:
Also note that message, full_message, and source are the only fields that are being analyzed by default. While wildcard searches (using * and ?) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.
I was unsuccessful in finding out what are analyzed fields, and how they work differently (I am guessing it uses regex rather than wildcards but I haven’t seen it written anywhere to confirm this)
What are analyzed fields, how do they work differently from standard fields (are they any differences other than searching) and can I add new fields to be analyzed?
I am unable to use wildcard successfully. for example this would work: “Domain: DOMAINNAME” but this wouldn’t: “Domain: DOMAI*”. are search’s case insensitive (other than keywords such as AND or NOT)?. because that doesn’t work either.
I am collecting logs from windows servers (using nxlog) , and noticed I have some similar search fields such as ‘Domain’ and ‘AccountDomain’ (its actually the only similar pair I have noticed but I assume there are more). are they any difference between the two? can I merge them together?
Thanks in advance for the help.