Hi,
I want to create alert based on Elasticsearch query result and we have log message that contain "Error #-" from specific hostname.
{
"query": {
"bool": {
"must": [
{ "match": {"message": "Error #-"}},
{ "match": {"agent.hostname":"hostname"}}
]
}
}
}
Using that query, I couldn't capture those specific log message, instead it capture all message that contain "Error".
How can I capture message that contain "Error #-" only?
Thank you.
Andre
Hi,
That is because "match" query is a Full text query. Both document fields and query sentences are analyzed to tokens. Maybe the analyzer ignored "#-" and not indexed it as a token.
For exact partial match search, use wildcard queries for wildcard fields or use match phrase query with ngram analyzer. This post is related.
If "Error #-" is a prefix, use keyword mapping and prefix query is another option.
If performance is acceptable, use runtime field with your own script to parse the message field is also another option.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.