Hi all,

I am on 7.13.1 on ElasticCloud. I mapped hostname via Logstash with syslog but for some reason the KQL search doesn't come out right. What am I doing wrong?

search:
hostname: cr1-ams1

Result:
cr1-ams1
cr2-ams1
ams1-foo
ams1-bar

search:
hostname: cr1*ams1

Result:

  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
              
Hey @lchan,
If you search hostname: "cr1-ams1" with the quotes, you should only see entries with the hostname matching exactly cr1-ams1.
As for the wildcard, check this documentation: Kibana Query Language | Kibana Guide [7.15] | Elastic
Wildcards can only be used to specify a search prefix, i.e. they only work if they are the last character in the search string. For example, cr1* would match everything that begins with cr1.
Let me know if this helps.
Brian
              
Hi @brianseeders ,
I fixed the issue by adding . keyword to the field. I was told it is required to add . keyword in order to perform wildcard search such as cr*ams1