1. Describe your incident:
I understand that it’s not desired way to use such tool and analyze data would be more proper. But at this point i need to get something to count of error messages on php_error. These files i ship using rsyslog so multi-line log records transfer into separate lines in log files. And i need to get some kind of metrics on uniq records.
Just last step. I need to add this to my search query (like additional grep)
So my golden plan was to add this regex to query on message filed (complete message line):
(application_name:php_error) AND message:(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})
But sadly : Query parsing error : Cannot parse query
Then tried regex slashes but no result in both cases.
(application_name:php_error) AND message:/(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})/
OR
(application_name:php_error) AND message:/.*(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4}).*/
As i said i am need regex as something like grep on search output.
Ah! I didn’t read that you are going after the contents of message:… message, full_message, and source are analyzed but not indexed. Technically the best way to get what you are looking for is to parse them into fields as the message comes in so they are indexed properly. Not always optimal but that is generally how Graylog was set up. Detail on that about half way down on this Docs page.
You can search in message, it just doesn’t work the way others do. In old posts it there are mentions of implicit ^ and $ in the search which would mean you would have to take into account the entire data of message: field when you search. Whenever I play with, I always come out feeling like I am not sure why it worked and that it was not optimized…
yes it could be a solution. With rsyslog or syslog in general the best part that it is shipped with any linux distro/version. And can be quickly setup for remote log shipping.
Parsing would be not that easy. Becouse php versions and programmers decide multiple ways how to use php.error files. So structure of those messages maybe completely different.
At this point i will stick with search query like:
AND (message:"UTC]" OR message:"Europe/Helsinki]" OR message:ERROR|CRIT)