I receive multi-line log messages as a single message on graylog. I want to trigger an alert if a given string appears on the same line as another string. The log message looks like this:
**message**
REALM_VM uptime
06:04:01 up 6:01, 0 users, load average: 0.09, 0.05, 0.05
REALM_VM disk usage ( df -h | grep -v tmpfs )
Filesystem Size Used Avail Use% Mounted on
/dev/dm-0 6.8G 4.1G 2.3G 65% / <----- I want to match on this line
udev 10M 0 10M 0% /dev
/dev/vda1 180M 32M 139M 19% /boot
//LS1/realm 290G 108G 168G 40% /data/host
/dev/loop0 204M 204M 0 100% /opt
I want to configure an event definition that triggers when /dev/dm-0 hits or exceeds 65% (i.e. /dev/dm-0 appears and then 65% appears on the same line) but my regex doesn’t seem to work. On a single line message I could have broken this up into “message: /dev/dm-0 AND message: /[6-9][0-9][%]/” but with the multi-line message constraint I think my only course of action is to set my regex to look for /dev/dm-0 and then match the /[6-9]{1}[0-9]{1}%/ regex on the same line. Everything I’ve tried so far doesn’t work, am I doing something silly here? Things I’ve attempted so far that generate no results:
message: "/dev/dm-0 /([.]+)/65%"
message: "/dev/dm-0 /([.]{5,30})/ 65%"
message: "/dev/dm-0 /([.]{5,30})65%/"
message: "/dev/dm-0 /([.]{5,30})[6][0-9][%]/"
message: /(/dev/dm-0)/ <-- Just trying to get a regex for this device specifically
message: /(dev[/]dm-0)/
message: /(\/dev\/dm-0)/
Things that get way too many results:
message: "/dev/dm-0"/(.+)/
message: "/dev/dm-0"/([.]{1,30}[6][5]%)/
It feels like I can’t combine “strings” and /(regex)/ which is fair, but I can’t seem to get a regex to work for /dev/dm-0. In using this Java regex tester I’ve seen linked here on the forums I’ve come up with something that works in that tester but doesn’t seem to work in the actual query. (whether I /sandwich/ it in forward slashes or not: (/dev/dm-0.*[6-9][0-9]%) Any help would be greatly appreciated.