Search string for timestamp containing message field

1. Describe your incident:
I understand that it’s not desired way to use such tool and analyze data would be more proper. But at this point i need to get something to count of error messages on php_error. These files i ship using rsyslog so multi-line log records transfer into separate lines in log files. And i need to get some kind of metrics on uniq records.

image1178×1117 160 KB

2. Describe your environment:

• OS Information: Debian 11

• Package Version: 4.3.12

• Service logs, configurations, and environment variables: Docker-compose based installation

3. What steps have you already taken to try and solve the problem?
Tried a lot of queries but either selects too much or not selecting anything.

4. How can the community help?
Please help me to write query for both timestamps on message field.

This regex will match either one of the date formats you

(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})

here it is in action

Thats a start let me know if you need more detail.

Just last step. I need to add this to my search query (like additional grep)
So my golden plan was to add this regex to query on message filed (complete message line):

(application_name:php_error) AND message:(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})

But sadly : Query parsing error : Cannot parse query

Then tried regex slashes but no result in both cases.

(application_name:php_error) AND message:/(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})/

OR

(application_name:php_error) AND message:/.*(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4}).*/

As i said i am need regex as something like grep on search output.

Ah! I didn’t read that you are going after the contents of message:… message, full_message, and source are analyzed but not indexed. Technically the best way to get what you are looking for is to parse them into fields as the message comes in so they are indexed properly. Not always optimal but that is generally how Graylog was set up. Detail on that about half way down on this Docs page.

You can search in message, it just doesn’t work the way others do. In old posts it there are mentions of implicit ^ and $ in the search which would mean you would have to take into account the entire data of message: field when you search. Whenever I play with, I always come out feeling like I am not sure why it worked and that it was not optimized…

Hey @pavljiks

You mentioned your using Rsyslog, by chance can you use a different log shipper like Filebeat /w multiline messages configuration?

yes it could be a solution. With rsyslog or syslog in general the best part that it is shipped with any linux distro/version. And can be quickly setup for remote log shipping.

Parsing would be not that easy. Becouse php versions and programmers decide multiple ways how to use php.error files. So structure of those messages maybe completely different.

At this point i will stick with search query like:

AND (message:"UTC]" OR message:"Europe/Helsinki]" OR message:ERROR|CRIT)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.