5

In my graylog Server, I want to create a search-value which finds the folowing query: ctxt__Error:"User \"USERNAME\" not found.". But I want to find ANY Error for every USERNAME. My Searchstring dowsnt work when I do this: ctxt__Error:"User \"*\" not found." Is there another way to do this?

Zwen2012
  • 3,360
  • 9
  • 40
  • 67
  • I'd recommend asking questions about Graylog in the [Graylog Community Forums](https://community.graylog.org/). There's just a bigger specialized audience than in StackOverflow. – joschi Feb 19 '18 at 09:42

2 Answers2

8

Only a few message fields are analyzed by default in Graylog, i. e. message, full_message, and source.

You can create a custom Elasticsearch index template, if you want other fields to be analyzed: http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings

Other than that, it should be possible to use regular expressions (not simple wildcards) in the query, but the regular expression has to match the complete field: http://docs.graylog.org/en/2.4/pages/queries.html#search-query-language

Example:

ctxt_Error:/User ".*" not found./
joschi
  • 12,746
  • 4
  • 44
  • 50
1

TLDR;

try following

field_name:/regular expression/

example,

ctxt__Error:\User .* not found.\

The original accepted answer is behind the paywall, which belongs to Graylog Enterprise customers.

Please kindly refer to the answers from the Graylog community post-https://community.graylog.org/t/searching-via-regular-expression-possible/6008

haolianglearn
  • 91
  • 2
  • 7