Hi
I’m trying to create a search filter to find syslogs with a severity of zero or one. So I’d like to search messages for -0- and -1- but no matter what I try, I can’t get it to search for either of these 2 strings. I’ve tried googling to no avail. Does anyone know how to search for these? Or is there another way to sort these to then be able to alert on? Thanks!
Is the severity already in its own field (perhaps the native syslog one) or is it in the message field itself that you are looking. Would be helpful if you could post a screenshot of a message you are trying to find so we can see how its formatted.
So this is like the messages I’m hoping to filter on. These particular ones are -3- and -5-. But I can’t work out how I can just search for the code -3- or -5- or -1- so on in the Search bar.
Ah, it looks like you are trying to find something with hyphens inside the message field. The thing is the message field is an analyzed field (meaning it is stored for search optimization not as a string of text) you can read about it here Searching special characters - #7 by jan
The best way to solve this is to parse that value into its own field when its being ingested using a pipeline. Then it will be stored as a numeric value and you could run a search to find greater than etc.
But before you do all that, expand that message and see what fields other than the message field are available. There will be at least a few, and if it is a true syslog severity then it should already be in its own field.
Thanks for the info. I ended up creating a stream searching for -0-, -1- etc. I can then alert on the stream getting a hit. That seems to do the trick.
did you parse your logs as @Joel_Duffield suggested? It will give you much more value, also to build dashboards and so on.
I haven’t as yet but I will look into it. I’ve only just started using Graylog.
Hey @superfly
Maybe this might give you a start. You may need to fine tune it a bit.
In this example I create a simple REGEX extractor.
.*-(.?-.*):
Results:
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
