query syntax question

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
SteveBeauchemin
Posts: 524
Joined: Mon Oct 14, 2013 7:19 pm

query syntax question

Post by SteveBeauchemin »

In trying to get specific data I am not sure but it seems that the field name is ignored.

For example, a query such as this:

Code: Select all

NLStags=sharepoint AND type=eventlog AND EventID=4672 AND NOT (SubjectUserName:xxxa1 OR SubjectUserName:xxxa2 OR SubjectUserName:SYSTEM OR SubjectUserName:audit001 OR SubjectUserName:es_002_maint)
Seems to return the same results as:

Code: Select all

sharepoint AND eventlog AND 4672 AND NOT (xxxa1 OR xxxa2 OR SYSTEM OR audit001 OR es_002_maint)
Also, using Field:value seems to be the same as Field=value.

Is this the normal behavior I should expect? The match for sharepoint has me concerned as I have other data with sharepoint in the name and may not want that field to match a query.

I guess I expected a field value pair to do matching.

Please help me get a better idea of what to expect. Should I use fields in a query.

Thanks

Steve B
XI 5.7.3 / Core 4.4.6 / NagVis 1.9.8 / LiveStatus 1.5.0p11 / RRDCached 1.7.0 / Redis 3.2.8 /
SNMPTT / Gearman 0.33-7 / Mod_Gearman 3.0.7 / NLS 2.0.8 / NNA 2.3.1 /
NSClient 0.5.0 / NRPE Solaris 3.2.1 Linux 3.2.1 HPUX 3.2.1
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: query syntax question

Post by scottwilkerson »

Code: Select all

NLStags=sharepoint AND type=eventlog AND EventID=4672 AND NOT (SubjectUserName:xxxa1 OR SubjectUserName:xxxa2 OR SubjectUserName:SYSTEM OR SubjectUserName:audit001 OR SubjectUserName:es_002_maint)
Did you mean to do this?

Code: Select all

NLStags:sharepoint AND type:eventlog AND EventID:4672 NOT (SubjectUserName:xxxa1 OR SubjectUserName:xxxa2 OR SubjectUserName:SYSTEM OR SubjectUserName:audit001 OR SubjectUserName:es_002_maint)
Also, if you don't add the field: before the searchterm, it should search across ALL fields to find a match

https://lucene.apache.org/core/2_9_4/qu ... x.html#NOT
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
SteveBeauchemin
Posts: 524
Joined: Mon Oct 14, 2013 7:19 pm

Re: query syntax question

Post by SteveBeauchemin »

Good stuff in that Log Server tool. Seeing so many interesting actionable things.

I have a better handle on the lucene syntax now, thanks.

Now I'm gonna figure out how to add other panel types.

Please close this. I'm good for now.

Steve B
XI 5.7.3 / Core 4.4.6 / NagVis 1.9.8 / LiveStatus 1.5.0p11 / RRDCached 1.7.0 / Redis 3.2.8 /
SNMPTT / Gearman 0.33-7 / Mod_Gearman 3.0.7 / NLS 2.0.8 / NNA 2.3.1 /
NSClient 0.5.0 / NRPE Solaris 3.2.1 Linux 3.2.1 HPUX 3.2.1
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: query syntax question

Post by scottwilkerson »

SteveBeauchemin wrote:Good stuff in that Log Server tool. Seeing so many interesting actionable things.

I have a better handle on the lucene syntax now, thanks.

Now I'm gonna figure out how to add other panel types.

Please close this. I'm good for now.

Steve B
Sounds good!

Locking
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
Locked

Return to “Nagios Log Server”