FAQ

[graylog2] Quickfilter help please

Matt Parlane
May 17, 2012 at 9:42 am
Hi all...

I've just set up Graylog2 and I'm really enjoying it so far.

I have routed postfix messages to it, but I'm having a bit of trouble
searching. What I did was firstly searched for "*parlane*" (without quotes)
in the Message field, and I got this message:

postfix/smtp[13996]: 902A78E053C: to=<mat...@...com>,
relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=1.5,
delays=0.09/0/0.68/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1337212958
l3si9045008pbs.64)

There are a few more associated messages that postfix logs while it
processes that email, and I'd like to be able to find them. In this case, "
902A78E053C" is the message id, and manually grepping the mail.log file on
the disk gives these lines:

May 17 12:02:37 nz3 postfix/pickup[13957]: 902A78E053C: uid=1000 from=<wg>
May 17 12:02:37 nz3 postfix/cleanup[13479]: 902A78E053C:
message-id=<201...@...gs>
May 17 12:02:37 nz3 postfix/qmgr[10926]: 902A78E053C:
from=<w...@...gs>, size=637, nrcpt=1 (queue active)
May 17 12:02:39 nz3 postfix/smtp[13996]: 902A78E053C:
to=<mat...@...com>,
relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=1.5,
delays=0.09/0/0.68/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1337212958
l3si9045008pbs.64)
May 17 12:02:39 nz3 postfix/qmgr[10926]: 902A78E053C: removed

But I can't seem to search for 902A78E053C in Graylog2. I've tried all
sorts of things... any ideas?

Thanks,

Matt
reply

Search Discussions

5 responses

  • Michael Baydoun at May 17, 2012 at 1:16 pm
    Message searches can not start with a wildcard

    These should work
    902A78E053C:
    902A78E053C*


    On Wed, May 16, 2012 at 8:36 PM, Matt Parlane wrote:

    Hi all...

    I've just set up Graylog2 and I'm really enjoying it so far.

    I have routed postfix messages to it, but I'm having a bit of trouble
    searching. What I did was firstly searched for "*parlane*" (without quotes)
    in the Message field, and I got this message:

    postfix/smtp[13996]: 902A78E053C: to=<mat...@...com>, relay=
    gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=1.5,
    delays=0.09/0/0.68/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1337212958
    l3si9045008pbs.64)

    There are a few more associated messages that postfix logs while it
    processes that email, and I'd like to be able to find them. In this case, "
    902A78E053C" is the message id, and manually grepping the mail.log file
    on the disk gives these lines:

    May 17 12:02:37 nz3 postfix/pickup[13957]: 902A78E053C: uid=1000 from=<wg>
    May 17 12:02:37 nz3 postfix/cleanup[13479]: 902A78E053C: message-id=<
    201...@...gs>
    May 17 12:02:37 nz3 postfix/qmgr[10926]: 902A78E053C: from=<
    w...@...gs>, size=637, nrcpt=1 (queue active)
    May 17 12:02:39 nz3 postfix/smtp[13996]: 902A78E053C: to=<
    mat...@...com>, relay=gmail-smtp-in.l.google.com[74.125.127.26]:25,
    delay=1.5, delays=0.09/0/0.68/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK
    1337212958 l3si9045008pbs.64)
    May 17 12:02:39 nz3 postfix/qmgr[10926]: 902A78E053C: removed

    But I can't seem to search for 902A78E053C in Graylog2. I've tried all
    sorts of things... any ideas?

    Thanks,

    Matt
  • Matt Parlane at May 17, 2012 at 9:22 pm

    On Friday, May 18, 2012 1:16:46 AM UTC+12, IndyMichaelB wrote:


    Message searches can not start with a wildcard

    These should work
    902A78E053C:
    902A78E053C*
    I tried both of those but no joy. Also, I searched for "*parlane*" (without
    quotes) to find emails sent to myself and it found them -- isn't that a
    search starting with a wildcard?

    I forgot to mention but I'm running the latest version of pretty much
    everything -- Graylog2 0.9.6p1-RC2, ElasticSearch 0.19.3.

    Cheers,

    Matt
  • Michael Baydoun at May 18, 2012 at 2:05 am
    I would say that is starting a search with a wildcard.

    Interesting, because the documentation
    https://github.com/Graylog2/graylog2-web-interface/wiki/Message-search-syntaxstates

    Wildcards

    There are two supported wildcard operators: ? for a single character and * for
    zero or more characters.

    If you want to search for *Exception* or *Exzeption* use this query:
    Ex?eption If you want to search for *foo1*, *foobar1* or *foobaz1* use this
    query:foo*1

    Note that you can't use a wildcard operator at the beginning of a term.


    On Thu, May 17, 2012 at 5:22 PM, Matt Parlane wrote:

    On Friday, May 18, 2012 1:16:46 AM UTC+12, IndyMichaelB wrote:

    Message searches can not start with a wildcard

    These should work
    902A78E053C:
    902A78E053C*
    I tried both of those but no joy. Also, I searched for "*parlane*"
    (without quotes) to find emails sent to myself and it found them -- isn't
    that a search starting with a wildcard?

    I forgot to mention but I'm running the latest version of pretty much
    everything -- Graylog2 0.9.6p1-RC2, ElasticSearch 0.19.3.

    Cheers,

    Matt
  • Scot Spinner at Jan 31, 2013 at 12:25 am
    I'm experiencing a similar issue. It seems like the search is putting
    spaces on either side of the search query. So for the message:

    May 17 12:02:39 nz3 postfix/qmgr[10926]: 902A78E053C: removed

    Searching for 'removed' would return fine, but searching for '10926' would
    return nothing. Can anyone confirm this? I'm using the same versions that
    matt is.

    Thanks, Scot


    On Thursday, May 17, 2012 7:05:29 PM UTC-7, IndyMichaelB wrote:

    I would say that is starting a search with a wildcard.

    Interesting, because the documentation
    https://github.com/Graylog2/graylog2-web-interface/wiki/Message-search-syntaxstates

    Wildcards

    There are two supported wildcard operators: ? for a single character and * for
    zero or more characters.

    If you want to search for *Exception* or *Exzeption* use this query:
    Ex?eption If you want to search for *foo1*, *foobar1* or *foobaz1* use
    this query:foo*1

    Note that you can't use a wildcard operator at the beginning of a term.



    On Thu, May 17, 2012 at 5:22 PM, Matt Parlane <matt.p...@gmail.com<javascript:>
    wrote:
    On Friday, May 18, 2012 1:16:46 AM UTC+12, IndyMichaelB wrote:

    Message searches can not start with a wildcard

    These should work
    902A78E053C:
    902A78E053C*
    I tried both of those but no joy. Also, I searched for "*parlane*"
    (without quotes) to find emails sent to myself and it found them -- isn't
    that a search starting with a wildcard?

    I forgot to mention but I'm running the latest version of pretty much
    everything -- Graylog2 0.9.6p1-RC2, ElasticSearch 0.19.3.

    Cheers,

    Matt
    --
    You received this message because you are subscribed to the Google Groups "graylog2" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Lennart Koopmann at Jan 31, 2013 at 12:26 am
    This is a problem with the whitespace analyzer in 0.9.6 - Click on
    "What terms was this message broken to" to see what you can search
    for. This is greatly improved in 0.10.0-x releases. :)

    Cheers,
    Lennart

    On Thu, Jan 31, 2013 at 1:08 AM, Scot Spinner
    wrote:
    I'm experiencing a similar issue. It seems like the search is putting
    spaces on either side of the search query. So for the message:

    May 17 12:02:39 nz3 postfix/qmgr[10926]: 902A78E053C: removed

    Searching for 'removed' would return fine, but searching for '10926' would
    return nothing. Can anyone confirm this? I'm using the same versions that
    matt is.

    Thanks, Scot


    On Thursday, May 17, 2012 7:05:29 PM UTC-7, IndyMichaelB wrote:

    I would say that is starting a search with a wildcard.

    Interesting, because the documentation
    https://github.com/Graylog2/graylog2-web-interface/wiki/Message-search-syntax
    states

    Wildcards

    There are two supported wildcard operators: ? for a single character and *
    for zero or more characters.

    If you want to search for Exception or Exzeption use this query: Ex?eption
    If you want to search for foo1, foobar1 or foobaz1 use this query:foo*1

    Note that you can't use a wildcard operator at the beginning of a term.


    On Thu, May 17, 2012 at 5:22 PM, Matt Parlane wrote:
    On Friday, May 18, 2012 1:16:46 AM UTC+12, IndyMichaelB wrote:


    Message searches can not start with a wildcard

    These should work
    902A78E053C:
    902A78E053C*

    I tried both of those but no joy. Also, I searched for "*parlane*"
    (without quotes) to find emails sent to myself and it found them -- isn't
    that a search starting with a wildcard?

    I forgot to mention but I'm running the latest version of pretty much
    everything -- Graylog2 0.9.6p1-RC2, ElasticSearch 0.19.3.

    Cheers,

    Matt
    --
    You received this message because you are subscribed to the Google Groups
    "graylog2" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to graylog2+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.


    --
    TORCH UG (haftungsbeschränkt)
    Max-Brauer-Allee 10
    22765 Hamburg

    Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
    Geschäftsführer: Hass Chapman (CEO)

    --
    You received this message because you are subscribed to the Google Groups "graylog2" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post