Graylog uses Elasticsearch as rep, so I'm tagging this as Elasticsearch also.
So, I have the following message pattern:
DURATION | GET > /usuarios/XXXXXXXXXXXXXXX/cartoes/simplificados > 200 em 1060,7302 ms
and I would like to search for the durations ABOVE 1000 ms, so I came up with this regex:
DURATION \| GET > \/usuarios.*[0-9]{4,},[0-9]*.*ms
and, although it works perfectly on online tools, graylog doesn't return anything. So I changed it to:
[0-9]{4,},[0-9]*.*ms and still nothing. Next I tested em 1060.* and also nothing!!!
Can anyone help?
This did the trick:
Environment:prod AND "DURATION | GET > /usuarios/" AND message:/.*([0-9]{4,}.[0-9]{4}).*/