1. Describe your incident:
I understand that it’s not desired way to use such tool and analyze data would be more proper. But at this point i need to get something to count of error messages on php_error. These files i ship using rsyslog so multi-line log records transfer into separate lines in log files. And i need to get some kind of metrics on uniq records.
Ah! I didn’t read that you are going after the contents of message:… message, full_message, and source are analyzed but not indexed. Technically the best way to get what you are looking for is to parse them into fields as the message comes in so they are indexed properly. Not always optimal but that is generally how Graylog was set up. Detail on that about half way down on this Docs page.
You can search in message, it just doesn’t work the way others do. In old posts it there are mentions of implicit ^ and $ in the search which would mean you would have to take into account the entire data of message: field when you search. Whenever I play with, I always come out feeling like I am not sure why it worked and that it was not optimized…