Wildcard in field value alert

alias · December 6, 2018, 6:19pm

HI,

I’ve a log with field parsing value as : [content:tcpdi].

My rule stream match the content and send his log in this stream. But when I use the Field Content Alert Condition with field name: content and value “tcp*” (without quote), the alert condition didn’t match.

When I use “content:tcp*” (without quote) in search query field, it match. But when I see the details of alert condition, the translate alert query is ‘content:“tcp*”’ (without single quote). INdeed, when I try with this translate query in the search query field, he didn’t match.

Someone have a solution ?

Thanks

macko003 · December 6, 2018, 7:18pm

check another field with wildcard search, after check your default Elasticsearch template for your filed and the working file also
maybe you can’t use wildcard on not analyzed fields.

system · December 20, 2018, 7:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wildcard search question Graylog Central (peer support)	9	37764	April 4, 2018
Wildcard Search Issue Graylog Central (peer support)	5	3057	June 11, 2018
Searching question Graylog Central (peer support)	3	603	November 9, 2017
Searching special characters Graylog Central (peer support)	9	7569	June 3, 2020
Search Query to find a value that contains certain value Graylog Central (peer support)	2	3042	August 21, 2023

Wildcard in field value alert

Related Topics