Searching for string with hyphen at end

[WillemDH]

Hello,

How can I search for a string which ens with a '-', for example "CarlDS-". I keep getting results for "CarloDS". I already tried putting a backslash in front, but same result..

Grtz

[hsmith]

With the way we handle things on the back end, this may not be possible.

Take a look at this SO page: http://stackoverflow.com/questions/3612 ... ith-lucene

I've reached out to the developers for information, and I'll let you know when they respond to me. I've tried every reasonable way to search for "testmessage" versus "testmessage+" versus "testmessage-" using both Lucene and regex and have been unable to get a positive result. I'm going to keep looking at this for a bit, and if necessary file a bug report.

[WillemDH]

Ok, good to hear you also didn't find an easy solution. Looking forward to a solution.

[hsmith]

Bryan's still looking through some code. I'll let you know when I know more. This seems to be an issue related to SO page that I linked above.

[eloyd]

Would love to see regexp work in the first place. I've never been able to match anything, except using .* as the match. I'm sure I'm doing something wrong, but my regex-fu is pretty good.

[hsmith]

It's something to do with the standardAnalyzer handles queries. It seems to strip non alphanumeric characters. I have a dev looking in to it. I would love to be able to do me some regexin.

[eloyd]

Stripping non alphanumeric characters from a regex is like stripping metal objects from a car. It's kinda the point! Tell Bryan to get his a{2} in gear!

[WillemDH]

I've never been able to match anything, except using .* as the match.

Well this felt good to hear someone say this. I've also quit on using regex queries in NLS... It would be nice to see an article or guide how to use regex queries in NLS.

[hsmith]

Something that Bryan discovered and I tested today, is if you have a raw version of your field, you can search for things however you like using lucene. For instance, I have my logs incoming to 5544 tcp/udp instead of the syslog input, and then they pass through a grok filter that breaks down the syslog information the way a syslog input would. I avoid having logs with weird syslog information dropped this way. From doing this, I get a field named syslog_message.raw. I can search from this specific field using a query like this: syslog_message.raw:testmessage, and it will only give me the results for testmessage, no results for testmessage+ or testmessage-. Additionally, I can search for testmessage+ and testmessage- and only get that information. Is this the ideal way to do it? No. But it's a workaround. I'll talk to Bryan and figure out what the best way to do this moving forward will be. I assume if you're using Windows event logs, you should have a field for username, see if there is a username.raw field, and try your search on that.

Let me know if that longwinded horrible paragraph provides some clarification.

[eloyd]

Imma go try it right now!