用法:field_name: /regular expression/
测试1:message: /.*Exception*/
message: /.*Exception*/结果
一看结果为空,这是怎么回事呢?
因为 graylog 的 elasticsearch analyzer 把字段(message、full_message、source)的值都转换为小写了,所以搜索时字段值全部使用小写匹配即可。
The “standard” analyzer of Elasticsearch preprocesses the message fields before indexing them. Among other things, it converts the messages to lowercase.
See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/analysis-standard-analyzer.html for details about the “standard” analyzer.
By default, Graylog creates an index mapping which will instruct Elasticsearch to analyze the “message”, “full_message”, and “source” fields. Other fields are not automatically analyzed.
You can change the analyzer which Elasticsearch is applying to a message field by creating your own custom index mapping:
http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings
测试2:message: /.*exception*/ (字段值全部使用小写匹配)
message: /.*exception*/结果
可以看到出现匹配结果了。
参考:https://community.graylog.org/t/wildcard-search-question/167/9
网友评论