-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regress in queries in Graylog 3.0 #5694
Comments
I could reproduce the issue in Elasticsearch 6.5.1, but not on 5.6.13. I guess there was some change in behaviour we weren't aware of. |
We managed to find out why this behaviour changed:
Extract from the ES 6.0 breaking changes: https://www.elastic.co/guide/en/elasticsearch/reference/6.6/breaking-changes-6.0.html This was confirmed in elastic/elasticsearch#31297 (comment), which also links to a new way of getting the same result that got introduced after the change. Unfortunately it needs to be set in index templates, so we would need to update Graylog's templates to be able to workaround the problem. To summarize:
|
Thanks! |
Document Elasticsearch 6 change in grouping keyword searches, where the `split_on_whitespace` has been removed. Refs Graylog2/graylog2-server#5694 This also needs to be included in the 2.5 documentation.
@edmundoa: Are there any follow up tasks for this issue or can it be closed? |
@dennisoelkers as far as I know only the last point remains:
|
Should we create a new issue for that or modify the scope of this one? |
I think there might be regress in queries in Graylog 3.0.
I updated my Graylog setup from Graylog 2.5.1/Elasticsearch 5.6 to Graylog 3.0/Elasticsearch 6.6 and discovered a problem with queries.
Expected Behavior
According to help, I can use parentheses in queries to find any of word
http://docs.graylog.org/en/3.0/pages/queries.html#syntax
For example
NOT user:(gitlab-runner jenkins git)
. This worked as expected on Graylog 2.5.1 and doesn't on 3.0.For now I had to change query to
NOT (user:gitlab-runner OR user:git OR user:jenkins)
Current Behavior
Query
NOT user:(gitlab-runner jenkins git)
return all items.Possible Solution
Change query to
NOT (user:gitlab-runner OR user:git OR user:jenkins)
Steps to Reproduce (for bugs)
any_field: (value1 value2)
any_field:value1 OR any_field:value2
4.It works
Context
I used these queries to filter some events from alerts. I had to change them to more complicated like
NOT (user:gitlab-runner OR user:git OR user:jenkins)
Your Environment
P.S. I haven't found related issues
The text was updated successfully, but these errors were encountered: