search

MHMDhub / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

WINDOWS.user="username" acts like WINDOWS.user=username #57

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1.Search for WINDOWS.user="username"
2.Search for WINDOWS.user=username
3.Compare results

What is the expected output? What do you see instead?
Expected: Quoted username should search for exactly that username
Current: Quoted and unquoted searches are the same

What version of the product are you using? On what operating system?

Please provide any additional information below.
Some logs contain users with domain prefix (i.e. DOMAIN/username) and some do 
not.  I would like to search for users without a domain, and currently a search 
for WINDOWS.user="username" will include results containing DOMAIN/username 
users, which could be a different user than intended.

Original issue reported on code.google.com by sitko.ma...@gmail.com on 6 Aug 2012 at 9:16

GoogleCodeExporter commented 8 years ago 
Missed version / OS, running RHEL6, and I believe we're still on r363

Original comment by sitko.ma...@gmail.com on 7 Aug 2012 at 3:06

GoogleCodeExporter commented 8 years ago 
The quotes mean that terms must appear in order and in the spacing given.  So, 
"abc+123" means find abc then exactly one non-indexed character (called a 
delimiter), then 123.  In the DOMAIN\username example, that means that you can 
find a specific user by searching for "DOMAIN\username" but searching just for 
"username" is the same as searching for the non-quoted username.  This is the 
behavior of full-text search, so it can't really be altered from that 
perspective.  The only real way to do it would be to specify some 
currently-unimplemented Sphinx search parameters which would say the keyword 
has to appear at the beginning of the field.  Would that be sufficient?

Original comment by mchol...@gmail.com on 7 Aug 2012 at 6:35

GoogleCodeExporter commented 8 years ago 
Makes sense, I was just thinking putting quotes around the term would only find 
that exact term, instead of also including entries that contain the term

Original comment by sitko.ma...@gmail.com on 7 Aug 2012 at 7:17

GoogleCodeExporter commented 8 years ago 
Can't really change this functionality.

Original comment by mchol...@gmail.com on 29 Nov 2012 at 10:41