Hi all,
I am on 7.13.1 on ElasticCloud. I mapped hostname via Logstash with syslog but for some reason the KQL search doesn't come out right. What am I doing wrong?
search:
hostname: cr1-ams1
Result:
cr1-ams1
cr2-ams1
ams1-foo
ams1-bar
search:
hostname: cr1*ams1
Result:
None
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
Hey @lchan,
If you search hostname: "cr1-ams1" with the quotes, you should only see entries with the hostname matching exactly cr1-ams1.
As for the wildcard, check this documentation: Kibana Query Language | Kibana Guide [7.15] | Elastic
Wildcards can only be used to specify a search prefix, i.e. they only work if they are the last character in the search string. For example, cr1* would match everything that begins with cr1.
Let me know if this helps.
Brian
Hi @brianseeders ,
I fixed the issue by adding . keyword to the field. I was told it is required to add . keyword in order to perform wildcard search such as cr*ams1
Leo
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.