Positive text filter combined with negative text filter?

New Graylog user with hopefully a dumb/easy question.

I want to filter messages that DO contain text “TEXT1” but do NOT include “TEXT2”

I tried:


and every other combination I can think of. My search results get everything containing TEXT1 but things containing TEXT2 are still in the results.

The syntax seems correct, although it might help to use quotes like this :


Could you provide a screenshot of the exact query and the results you are getting ?


There is a whole Documentation for Search Syntax Search query language


Thanks for that useless and unhelpful RTM response. I have read that page several times – and according to it (and the first responder above) what I have tried should work. It does not.

Hello @bldnightowl

I realize what other’s post may not help and/or you have see/read it already. I also understand your having issues searching. Were all here on our free time so if you could please keep the negative statements down a bit it would be much appreciated. Help us , help you :+1:

As for your searching goes, perhaps something like this.

Messages where the field type includes test1 and Not test2,

type:"test1" NOT "test2"

1 Like

Thanks for trying – but that syntax doesn’t work either (see screenshot). So it really seems like maybe I need to file a bug report… you are the second responder who seems to agree that what I’m doing should be working.

P.S. I felt that other person was being rude and dismissive by pointing me at a manual that is obviously linked right off the UI. Their response read as “negative” and snarky to me.

1 Like

It happens but keep your kool man, as for Bug report GitHub you could post here.

Actually, I think I see the issue – the pattern matcher seems to be insisting on complete “words.”

This works:

"DNS" AND NOT "connect.myqdevice.com"

So the pattern “connect” was NOT matching against “connect.myqdevice.com” in the message. A regex appears necessary to do a partial match within a word:

DNS AND NOT /.*connect.*/

The documentation could be a lot better.

1 Like

Yeah the “Document Dude’s” are a little behind right now.

Without regex you can do:

"DNS" AND NOT connect*

I really do not understand what Graylog/Lucene is doing with these patterns.

Consider these messages (not fragments, these are the entire messages):

    kernel: [164141.531234]
    kernel: [164141.531234] some trailing text
    kernel: [456432.789654]
    kernel: [456432.789654] some trailing text

I want to come up with a pattern (regex or otherwise) that will only match the first and third messages but not the second and fourth with the trailing text. I cannot get anything to work.

In a non Graylog/Lucene world, I would use a regex matching on the entire string:

/^.*kernel: \[[0-9]{6}\.[0-9]{6}\]$/

But I can’t come up with whatever magic incantation Lucene seems to want for this.


matches all four messages well enough. But the moment I start trying to put [ or ] into the pattern or trying to anchor to the end of the message text, it fails. For example:


doesn’t match any of the messages.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.