Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Searching for string with hyphen at end

https://support.nagios.com/forum/viewtopic.php?t=38652

Page 2 of 2

Re: Searching for string with hyphen at end

Posted: Wed Jun 01, 2016 4:43 pm
by hsmith
Hopefully it gives you something useful :)

Re: Searching for string with hyphen at end

Posted: Wed Jun 01, 2016 4:49 pm
by eloyd
Not yet. I'm actually at a customer's site in Philly this week, installing NLS and NNA and NXI for them. I thought I could try it out on their system real quick but I just have the syslog and eventlog input filters right now. Might have to wait until I get home.

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 1:08 am
by WillemDH
I assume if you're using Windows event logs, you should have a field for username, see if there is a username.raw field, and try your search on that.
Sorry, but my requirement is do do a global query. The username CarlS could be in different fields ranging from WIndows eventlogs to F5 Load Balancer logs, to SHarePoint IIS logs. If sudddenly we notice there is a user 'CarlS-' doing some things it is not supposed to do, we need to search all logs for 'CarlS-' and only get logs for 'CarlS-'.... Is this a global ELK issue or specific to NLS?

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 11:12 am
by bheden
This is a global ELK problem.

You can duplicate as many fields as you want using the raw solution that hsmith posted, and then you'd be able to search using regex across all fields.

If I can come up with a better solution, I'll reach out and let you know.

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 11:22 am
by eloyd
Looking forward to that better solution. Teaching clients that typing "field_name.raw:thing_to_look_for" is required, rather than just "thing_to_look_for" is not a long-term viable solution for us.

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 4:39 pm
by hsmith
eloyd wrote:Looking forward to that better solution. Teaching clients that typing "field_name.raw:thing_to_look_for" is required, rather than just "thing_to_look_for" is not a long-term viable solution for us.
As am I. It's something that I'm researching. Switching to the WhiteSpace analyzer might be a possibility, but I can't promise it is going to not break current installations. I will need to test this.

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 4:42 pm
by eloyd
Agreed. It's not a big deal (now) but as our base of users that just want to search for stuff for their helpdesk people to find missing emails, busted logons, etc, limitations of the parser will become increasingly awkward to work around.

One option would be to allow multiple parsers to be used, but to make it an advanced configuration option so people who know what they're doing inside elasticsearch can take advantage of the different analyzers.

Re: Searching for string with hyphen at end

Posted: Thu Jun 02, 2016 4:52 pm
by hsmith
I'll have to sit down with Jake and Scott and figure out what the best route to take is.
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited