Hi,
I am using ES 2.3.3 and Kibana 4.5.1 and trying to match a pattern in the log entry with regex, but it doesn't work as expected. The field I am using is message.raw and below is the mapping and an example:
Mapping:
"message" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
}
Example (from the json format of the entry):
"message": "2018-05-15 16:55:32.095 ERROR [Default Executor-thread-000000] com.xxx.xxx.xxx -\n\t\t\t\t\tsomeFunction() :: var = some messages"
The pattern I am using is:
message.raw:/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}"."[0-9]{3} ERROR.*/
which returns nothing, but without the ERROR it works:
message.raw:/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}"."[0-9]{3} .*/
This really confuses me. Could anyone give me some ideas what is going on? Thank you so much!