Hi,
I'm a newbie with the ELK stack and although I've extensively searched Google for this, I just can't find the solution to my problem.
I'm running ELK 5.3 on RHEL 7.3.
I need to use the ELK stack to search in received syslogs. These syslogs are read from archive files, they are not received directly by logstash..
The logs are loaded properly in elasticsearch but when I run searches with strings containing hyphens, I'm not getting the expected results. I'm loading the syslogs messages in an index named with the pattern: logstash-%{+YYYY.MM.dd}
So far, I've been able to determine that:
- Elasticsearch tokenizes search terms when they are separated by hyphens.
- When using logstash to load content to elasticsearch, using indexes named "logstash-*" allows to use the default logstash elasticsearch template, which should include .raw fields, configured to allow not_analyzed queries.
- message.raw was removed in 2014 from the default template.
Now I'm kinda stuck, I don't know what to try next to be able to do my searches.
Do you have any idea what I should do next?
Thanks!