Hi-
I am completely new to Graylog (and siem systems on the whole) and am trying to understand the searching language but having some difficulty.
I have a few questions and issues that I would be much appreciative if anyone can answer:
Also note that message, full_message, and source are the only fields that are being analyzed by default. While wildcard searches (using * and ?) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.
I was unsuccessful in finding out what are analyzed fields, and how they work differently (I am guessing it uses regex rather than wildcards but I havenât seen it written anywhere to confirm this)
What are analyzed fields, how do they work differently from standard fields (are they any differences other than searching) and can I add new fields to be analyzed?
I am unable to use wildcard successfully. for example this would work: âDomain: DOMAINNAMEâ but this wouldnât: âDomain: DOMAI*â. are searchâs case insensitive (other than keywords such as AND or NOT)?. because that doesnât work either.
I am collecting logs from windows servers (using nxlog) , and noticed I have some similar search fields such as âDomainâ and âAccountDomainâ (its actually the only similar pair I have noticed but I assume there are more). are they any difference between the two? can I merge them together?
the difference of analyzed and non_analyzedis explained in the elasticsearch index mapping documentation. So you need to create a custom mapping to be able to do full-text-search on other fields than messages, full_message and source.
About item 2) âNote that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:â
allow_leading_wildcard_searches = true
Change it at your âserver.confâ and restart Graylog.
I noticed that- and itâs not the case (the example I gave is not a leading wildcard)
I did find my answer after when realizing that only indexed fields can be used with wildcards.
I am still left with other two unanswered questions:
1- what is the difference between full-text-search and term-search?
2- is there a reason why I shouldnât index all my fields?
that is not easy to answer as this might be OK in your environment, but not in others. Learn how Elasticsearch handles that data internal. What makes the difference and what happens if you set a field to analyzed. Maybe the following is a good starter for that.
Thanks, so if Iâm reading that correctly, it sounds like by default elasticsearch will analyze all string fields with the standard analyzer, unless modified by a template. So it looks like graylog specifically makes the decision via its default template to not analyze all string fields. Right?
Is this the portion of the default template which disables analyzed fields?
Thanks @jan Iâve read that (several times!), but I think as someone who isnât as familiar with elasticsearch as you are, and just using it as a means to a logging end, it would be helpful to get some context related to my question.
The examples in the doc linked only show how to change specific fields. What would I do if I want to analyze all string fields?