The above query matches logs documents that have "from=" in the
message field. I am not sure why!
Full output of the query can be seen here: http://sprunge.us/PLJC
Basically, I want to search for messages that have "from=<>" in the
"@message" field in the logs I'm indexing using logstash. I'm using
Kibana to search text but I don't think that all this is relevant here.
So, what's really going on here. I also tried looking in lucene query
syntax and I don't find "<>" having a special meaning.
Switching to a term query will preserve the text, but the match would need
to be exact. Try playing around with the analysis or the type of query
(prefix, term).
The above query matches logs documents that have "from=" in the
message field. I am not sure why!
Full output of the query can be seen here: http://sprunge.us/PLJC
Basically, I want to search for messages that have "from=<>" in the
"@message" field in the logs I'm indexing using logstash. I'm using Kibana
to search text but I don't think that all this is relevant here.
So, what's really going on here. I also tried looking in lucene query
syntax and I don't find "<>" having a special meaning.
Thanks for pointing me to the right direction Ivan. I read about Analyzers
and got a hang of what you meant. I am actually storing logs in ES so I
plan to set analyzer to whitespace. I think that'll eliminate the issue.
(Still need to test it)
Switching to a term query will preserve the text, but the match would need
to be exact. Try playing around with the analysis or the type of query
(prefix, term).
Can you elaborate on this? What do you mean by "match would need to be
exact" ? Can you explain a bit about term and prefix queries? I am a newbie
in ES so pls bear with me.
The above query matches logs documents that have "from=" in the
message field. I am not sure why!
Full output of the query can be seen here: http://sprunge.us/PLJC
Basically, I want to search for messages that have "from=<>" in the
"@message" field in the logs I'm indexing using logstash. I'm using Kibana
to search text but I don't think that all this is relevant here.
So, what's really going on here. I also tried looking in lucene query
syntax and I don't find "<>" having a special meaning.
A term query does not analyze the text and it only does exact matches. A
term query for the term "from" will not match "from=". Without
knowing too much of your content, a whitespace analyzer should work.
A whitespace analyzer is similar to a keyword analyzer if there are no
whitespaces in your content.
Thanks for pointing me to the right direction Ivan. I read about Analyzers
and got a hang of what you meant. I am actually storing logs in ES so I
plan to set analyzer to whitespace. I think that'll eliminate the issue.
(Still need to test it)
Switching to a term query will preserve the text, but the match would
need to be exact. Try playing around with the analysis or the type of query
(prefix, term).
Can you elaborate on this? What do you mean by "match would need to be
exact" ? Can you explain a bit about term and prefix queries? I am a newbie
in ES so pls bear with me.
The above query matches logs documents that have "from=" in the
message field. I am not sure why!
Full output of the query can be seen here: http://sprunge.us/PLJC
Basically, I want to search for messages that have "from=<>" in the
"@message" field in the logs I'm indexing using logstash. I'm using Kibana
to search text but I don't think that all this is relevant here.
So, what's really going on here. I also tried looking in lucene query
syntax and I don't find "<>" having a special meaning.
The problem with Whitespace analyzer is, if I set that and have a log line
like:
"Message contains from=<>" and
"Message contains from=myemail@com
If I search for myemail@com, I will not get the second line in search
results. I'm using Kibana to search my logs in ES.
On Wed, Mar 13, 2013 at 3:09 AM, Ivan Brusic ivan@brusic.com wrote:
A term query does not analyze the text and it only does exact matches. A
term query for the term "from" will not match "from=". Without
knowing too much of your content, a whitespace analyzer should work.
A whitespace analyzer is similar to a keyword analyzer if there are no
whitespaces in your content.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.