Hello!
I am trying to filter out some specific messages from a dashboard, but fail to success.
How can I see all messages with "Not permitted by policy" but exclude "@domain.com" ?
Message is (somewhat like):
<132>1 2020-03-20T11:20:56.000+01:00 node2 [meta sequenceId="38345"] 2020-03-20T11:20:56.895+01:00 node2: Event="Registration Rejected" Reason="Not permitted by policy" Dst-alias="[email protected]" Protocol="UDP" Level="1" UTCTime="2020-03-20 10:20:56,895"
Query is:
"Not permitted by policy"
Filtering is (besides a time range):
field: mustNot
field: message
query: @domain.com
Filter not working
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Filter not working
I think if you change the query in the filter from @domain.com to just domain.com it should work
The message field is "analyzed and will break this apart which is likely causing the problem
The message field is "analyzed and will break this apart which is likely causing the problem
-
connected
Re: Filter not working
Nope. This also doesn't work. Is there a better reference I should look at than the Nagios Log Server documentation?
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Filter not working
Is the actual message field in Nagios Log Server like the following or is it broken up into separate fields?
Code: Select all
<132>1 2020-03-20T11:20:56.000+01:00 node2 [meta sequenceId="38345"] 2020-03-20T11:20:56.895+01:00 node2: Event="Registration Rejected" Reason="Not permitted by policy" Dst-alias="[email protected]" Protocol="UDP" Level="1" UTCTime="2020-03-20 10:20:56,895"-
connected
Re: Filter not working
It indeed is one line.
The following query does work!
"Not permitted by policy" -domain.com*
This is just trial and error. Is there any documentation about how this query and filtering works?
The following query does work!
"Not permitted by policy" -domain.com*
This is just trial and error. Is there any documentation about how this query and filtering works?
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Filter not working
I'm glad you found a solution.
Here is some information on lucene queries
https://lucene.apache.org/core/2_9_4/qu ... yntax.html
It can get quite tricky if you are not breaking the messages apart with a grok filter to just look at the individual pieces because the message field is always going to be analyzed and searching is going to look at the determined individual piecesconnected wrote:Is there any documentation about how this query and filtering works?
Here is some information on lucene queries
https://lucene.apache.org/core/2_9_4/qu ... yntax.html