Page 1 of 2

custom search message field

PostPosted: Thu Dec 13, 2012 9:52 am
by inside_noc
Hello everyone.

I'm new to loganalyzer, just learning. I've encountered the following problem with custom search:
task is to search message field with several search strings using OR logic, filter has the following format filter=string1,string2. But it's not working. Filter works fine using string1 and string2 separately. What I'am doing wrong?

Thanks in advance.

Re: custom search message field

PostPosted: Fri Dec 14, 2012 12:29 pm
by alorbach
Can you post a sample? If you look to the sample the search string should look like this:
filter=field:=string1,string2
Or URL Replaced like this:
filter=field%3A%3Dstring1%2Cstring2

best regards,
Andre

Re: custom search message field

PostPosted: Tue Dec 18, 2012 7:15 am
by inside_noc
alorbach wrote:Can you post a sample? If you look to the sample the search string should look like this:
filter=field:=string1,string2
Or URL Replaced like this:
filter=field%3A%3Dstring1%2Cstring2

best regards,
Andre


Hello Andre,

sample search filter:

filter=POS,TenGigabit

Re: custom search message field

PostPosted: Tue Dec 18, 2012 10:45 am
by alorbach
The field is missing, in this case you are doing a full string search on message field for "POS,TenGigabit".
Do you want to search for multiple strings within the Message field? In this case just use
filter=POS TenGigabit

The Message field works a little different than the other fields when performing searches.
More details here: http://loganalyzer.adiscon.com/doc/searching.html

Re: custom search message field

PostPosted: Wed Dec 19, 2012 10:52 am
by inside_noc
alorbach wrote:The field is missing, in this case you are doing a full string search on message field for "POS,TenGigabit".
Do you want to search for multiple strings within the Message field? In this case just use
filter=POS TenGigabit

The Message field works a little different than the other fields when performing searches.
More details here: http://loganalyzer.adiscon.com/doc/searching.html


Thanks, you are right. I've tested filter=POS INIT It showed messages related to POS INIT and also POS DOWN for example - OR logic is working, but it works within a single MSG. If we have two messages, first is POS and second is TenGigabit -> this method doesn't work...Is it possible to create filter which takes into account more than one message for comparison using OR logic?

Re: custom search message field

PostPosted: Thu Dec 20, 2012 4:22 pm
by alorbach
I am afraid but OR filtering for the message field is not possible at the moment. This would require some deeper changes into the filtering logic.

best regards,
Andre Lorbach

Re: custom search message field

PostPosted: Fri Dec 21, 2012 6:56 am
by inside_noc
alorbach wrote:I am afraid but OR filtering for the message field is not possible at the moment. This would require some deeper changes into the filtering logic.

best regards,
Andre Lorbach


Thanks Andre.

Re: custom search message field

PostPosted: Thu Jan 10, 2013 9:43 pm
by sclark
In release notes for 2.7.0 beta it says that you can do regular expression searches by prepending ~ to the search string. This does not seem to work. My source is from a postgresql database fed by rsyslog. I am using 3.6.1.

Re: custom search message field

PostPosted: Fri Jan 11, 2013 11:24 am
by alorbach
Can you post a sample search string?

Re: custom search message field

PostPosted: Fri Jan 11, 2013 3:25 pm
by sclark
~SMTP|smtp

Trying to search for either SMTP or smtp in the message field.

Re: custom search message field

PostPosted: Fri Jan 11, 2013 4:53 pm
by alorbach
This should actually work well. I will look into this and run some tests on my dev machine.

best regards,
Andre

Re: custom search message field

PostPosted: Fri Jan 11, 2013 5:33 pm
by alorbach
Hi,

I found indeed a bug in the ApplyFilters function of the basic Logstream class which caused a problem with most REGEX filters.
It will be fixed within the next minor update, if you want to test the fix you can download a snapshot from our Git Repository:
http://git.adiscon.com/?p=phplogcon.git ... 33a;sf=tgz

best regards,
Andre Lorbach

Re: custom search message field

PostPosted: Mon Jan 14, 2013 7:34 pm
by sclark
Thanks Andre,

I would love to test the change but I am git challenged.
What git command do I use to fetch the snapshot?

Re: custom search message field

PostPosted: Mon Jan 14, 2013 8:42 pm
by sclark
figured it out- clicking on the link downloaded it.

Re: custom search message field

PostPosted: Mon Jan 14, 2013 8:55 pm
by sclark
Great it works!
Thanks again Andre.