Wildcard in field value alert

alias · December 6, 2018, 6:19pm

HI,

I’ve a log with field parsing value as : [content:tcpdi].

My rule stream match the content and send his log in this stream. But when I use the Field Content Alert Condition with field name: content and value “tcp*” (without quote), the alert condition didn’t match.

When I use “content:tcp*” (without quote) in search query field, it match. But when I see the details of alert condition, the translate alert query is ‘content:“tcp*”’ (without single quote). INdeed, when I try with this translate query in the search query field, he didn’t match.

Someone have a solution ?

Thanks

macko003 · December 6, 2018, 7:18pm

check another field with wildcard search, after check your default Elasticsearch template for your filed and the working file also
maybe you can’t use wildcard on not analyzed fields.

system · December 20, 2018, 7:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field Content Alert Graylog Central (peer support)	3	942	March 7, 2018
Wildcard search question Graylog Central (peer support)	9	42792	April 4, 2018
Wildcard Search Issue Graylog Central (peer support)	5	3228	June 11, 2018
Field Content Alert Condition ignores logs which have log timestamp instead of indexed timestamp Graylog Central (peer support)	1	387	November 23, 2018
Alerting question Graylog Central (peer support)	5	778	April 19, 2018

Wildcard in field value alert

Related topics