Hey Guillaume,
while it might make sense to fire a query like this, I think it is more
useful to actually make your unstructured data more structured. When you
take a look at all those postfix logs you have, you will clearly see a
pattern, that client=$name[$IP] is always the same... so it might make more
sense to actually try to extract the ip and the hostname and put that one
into several fields. This is exactly what logstash is for: getting data in,
enriching and parsing it and then store it into elasticsearch. The huge
advantage of such an enrichment process is of course, that querying now is
really simple, as you always have the "right" content (only the hostname or
only the ip) in the fields you are going to query.
You can definately build a query which mimics this behavour, parsing the
logfiles appropriately and querying only the fields you intend to query
might make much more sense.
See http://www.elasticsearch.org/overview/logstash/ for more info...
--Alex
On Sat, Mar 15, 2014 at 12:02 AM, Guillaume Loetscher
sterfield@gmail.comwrote:
Hello,
I'm trying to do a query search containing an equal ("=") character in it.
I've got plenty of logs looking like this :
<22>postfix/smtpd[9136]: E4A4E34AA5:
client=localhost.localdomain[127.0.0.1]
I want to query all messages that haven't been posted from
"localhost.localdomain".
I've looked at the query documentationhttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.htmlhere and tried multiple queries in Kibana and through a "curl" command, but
no luck.
Right now, I've did this query : -"client=localhost.localdomain", but no
luck, it keeps giving me answers with this precise string.
I also tried to protect the "=" character with a backslash.
How is it possible to do a query search with this character ?
Thanks a lot,
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.comhttps://groups.google.com/d/msgid/elasticsearch/535ac45a-6698-422e-848f-594a824032a5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGCwEM_p-CAB6d%2B_DZp9Z0Dec4X4qntm4LJJfWxgPpkBpCe1zA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.