Highlighting based on partial text in message field

alesblinka · April 24, 2026, 7:42am

Hi

I have this message in the log

message

ERROR: Backup of VM 424 failed - VM is locked (snapshot)

Of course the number of VM can be different in the future. I would like to highlight this message by red colour if it contains “ERROR: Backup of VM”.

I tried to use followings but without any success

“ERROR: Backup of VM”
*“ERROR: Backup of VM”*
%'“ERROR: Backup of VM”%
/.“ERROR: Backup of VM”/.

Is there a way how to highlight message based on partial text?

Thank you, Al

Wine_Merchant · April 24, 2026, 10:35am

Create a pipleine and rule that looks for these messages and if found add a field with a static value, then highlight based on where that static value appears.

Here is an example rule.

rule "Detect VM Backup Failure"
when
  regex("ERROR: Backup of VM \\d+ failed", to_string($message.message)).matches == true
then
  set_field("failed_vm", "true");
end

Then highlight based on failed_vm containing true.

Topic		Replies	Views
Is it possible to create highlight that contains certain word or character? Graylog Central (peer support) alert , script , components	2	1161	June 15, 2023
Conditions question - is the value field a exact match of partial match Graylog Central (peer support)	1	472	August 30, 2019
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	1180	October 14, 2019
Regex search in message field Graylog Central (peer support)	4	1661	February 23, 2021
Basic contain from message field Graylog Central (peer support)	2	449	October 1, 2019

Highlighting based on partial text in message field

Related topics