Search query containing an equal character


(Guillaume Loetscher) #1

Hello,

I'm trying to do a query search containing an equal ("=") character in it.

I've got plenty of logs looking like this :

<22>postfix/smtpd[9136]: E4A4E34AA5: client=localhost.localdomain[127.0.0.1]

I want to query all messages that haven't been posted from
"localhost.localdomain".

I've looked at the query documentationhttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.htmlhere and tried multiple queries in Kibana and through a "curl" command, but
no luck.

Right now, I've did this query : -"client=localhost.localdomain", but no
luck, it keeps giving me answers with this precise string.

I also tried to protect the "=" character with a backslash.

How is it possible to do a query search with this character ?

Thanks a lot,

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Guillaume Loetscher) #2

Hi,

No one knows ? I can't imagine that no one hasn't done a query on a string
containing a "=" character in it.

Maybe my question is not clear enough. If so, please tell me where, I'll
try to make it clearer.

Many thanks,

Le samedi 15 mars 2014 00:02:08 UTC+1, Guillaume Loetscher a écrit :

Hello,

I'm trying to do a query search containing an equal ("=") character in it.

I've got plenty of logs looking like this :

<22>postfix/smtpd[9136]: E4A4E34AA5:
client=localhost.localdomain[127.0.0.1]

I want to query all messages that haven't been posted from
"localhost.localdomain".

I've looked at the query documentationhttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.htmlhere and tried multiple queries in Kibana and through a "curl" command, but
no luck.

Right now, I've did this query : -"client=localhost.localdomain", but no
luck, it keeps giving me answers with this precise string.

I also tried to protect the "=" character with a backslash.

How is it possible to do a query search with this character ?

Thanks a lot,

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/60540866-127a-4bf0-9085-2cea4a8a6401%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Binh Ly-2) #3

Your field is likely using the standard analyzer which by default which
strips the = symbol. If you have the raw (not_analyzed) field indexed, you
can do something like this:

.raw:client=localhost.localdomain

This is probably not the best query to execute (because of the wildcards),
but it illustrates that the = symbol can be searched for if you map it
correctly for indexing.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/2ca53306-35ad-45ab-8400-2500493f5ac3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Guillaume Loetscher) #4

Le lundi 17 mars 2014 18:28:29 UTC+1, Binh Ly a écrit :

Your field is likely using the standard analyzer which by default which
strips the = symbol. If you have the raw (not_analyzed) field indexed, you
can do something like this:

.raw:client=localhost.localdomain

I don't have such field, but thanks for the pointer to "elasticsearch
analyzer", I'll look at it asap.

Thanks again.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/639c01a5-6c3a-48cd-9206-11dcfcbbb59f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Alexander Reelsen) #5

Hey Guillaume,

while it might make sense to fire a query like this, I think it is more
useful to actually make your unstructured data more structured. When you
take a look at all those postfix logs you have, you will clearly see a
pattern, that client=$name[$IP] is always the same... so it might make more
sense to actually try to extract the ip and the hostname and put that one
into several fields. This is exactly what logstash is for: getting data in,
enriching and parsing it and then store it into elasticsearch. The huge
advantage of such an enrichment process is of course, that querying now is
really simple, as you always have the "right" content (only the hostname or
only the ip) in the fields you are going to query.

You can definately build a query which mimics this behavour, parsing the
logfiles appropriately and querying only the fields you intend to query
might make much more sense.

See http://www.elasticsearch.org/overview/logstash/ for more info...

--Alex

On Sat, Mar 15, 2014 at 12:02 AM, Guillaume Loetscher
sterfield@gmail.comwrote:

Hello,

I'm trying to do a query search containing an equal ("=") character in it.

I've got plenty of logs looking like this :

<22>postfix/smtpd[9136]: E4A4E34AA5:
client=localhost.localdomain[127.0.0.1]

I want to query all messages that haven't been posted from
"localhost.localdomain".

I've looked at the query documentationhttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.htmlhere and tried multiple queries in Kibana and through a "curl" command, but
no luck.

Right now, I've did this query : -"client=localhost.localdomain", but no
luck, it keeps giving me answers with this precise string.

I also tried to protect the "=" character with a backslash.

How is it possible to do a query search with this character ?

Thanks a lot,

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.comhttps://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM_p-CAB6d%2B_DZp9Z0Dec4X4qntm4LJJfWxgPpkBpCe1zA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(system) #6