Hi. I've deployed elasticsearch with logstash and kibana to take in
Windows logs from my OSSEC log server, following this guide:
I've tweaked the logstash config to extract some specific fields from the
logs, such as User_Name. I'm having some issues searching on these fields
These searches work as expected:
- User_Name: *
- User_Name: john.smith
- User_Name: john.*
- NOT User_Name: john.*
But I'm having problems with Computer accounts, which take the format
"w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a
search for "w-dc-01" returns all the servers named "w-". Also I
can't do "NOT User_Name: *$" to exclude computer accounts.
The mappings are created automatically by logstash, and GET
My (limited) understanding is that the "not_analyzed" should stop the field
being split, so that my searching matches the full name, but it doesn't.
I'm trying both kibana and curl to get results.
Hope this makes sense. I really like the look of elasticsearch, but being
able to search on extracted fields like this is pretty key to me using it.
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/62e3ebfc-aaa3-4af0-b93e-d4454146607b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.