Search string for timestamp containing message field

pavljiks · February 13, 2023, 7:37pm

1. Describe your incident:
I understand that it’s not desired way to use such tool and analyze data would be more proper. But at this point i need to get something to count of error messages on php_error. These files i ship using rsyslog so multi-line log records transfer into separate lines in log files. And i need to get some kind of metrics on uniq records.

2. Describe your environment:

OS Information: Debian 11
Package Version: 4.3.12
Service logs, configurations, and environment variables: Docker-compose based installation

3. What steps have you already taken to try and solve the problem?
Tried a lot of queries but either selects too much or not selecting anything.

4. How can the community help?
Please help me to write query for both timestamps on message field.

tmacgbay · February 13, 2023, 9:58pm

This regex will match either one of the date formats you

(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})

here it is in action

Thats a start let me know if you need more detail.

pavljiks · February 14, 2023, 9:25am

Just last step. I need to add this to my search query (like additional grep)
So my golden plan was to add this regex to query on message filed (complete message line):

(application_name:php_error) AND message:(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})

But sadly : Query parsing error : Cannot parse query

Then tried regex slashes but no result in both cases.

(application_name:php_error) AND message:/(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4})/

OR

(application_name:php_error) AND message:/.*(\d{4}\-(0[1-9]|1[012])\-(0[1-9]|[12][0-9]|3[01]))|(\d{2}\-([Jj]an|[Ff]eb|[Mm]ar|[Aa]pr|[Mm]ay|[Jj]un|[Jj]ul|[Aa]ug|[Ss]ep|[Oo]ct|[Nn]ov|[Dd]ec)\-\d{4}).*/

As i said i am need regex as something like grep on search output.

tmacgbay · February 14, 2023, 2:40pm

Ah! I didn’t read that you are going after the contents of message:… message, full_message, and source are analyzed but not indexed. Technically the best way to get what you are looking for is to parse them into fields as the message comes in so they are indexed properly. Not always optimal but that is generally how Graylog was set up. Detail on that about half way down on this Docs page.

You can search in message, it just doesn’t work the way others do. In old posts it there are mentions of implicit ^ and $ in the search which would mean you would have to take into account the entire data of message: field when you search. Whenever I play with, I always come out feeling like I am not sure why it worked and that it was not optimized…

gsmith · February 14, 2023, 11:42pm

Hey @pavljiks

You mentioned your using Rsyslog, by chance can you use a different log shipper like Filebeat /w multiline messages configuration?

pavljiks · February 15, 2023, 7:41am

yes it could be a solution. With rsyslog or syslog in general the best part that it is shipped with any linux distro/version. And can be quickly setup for remote log shipping.

pavljiks · February 15, 2023, 7:57am

Parsing would be not that easy. Becouse php versions and programmers decide multiple ways how to use php.error files. So structure of those messages maybe completely different.

At this point i will stick with search query like:

AND (message:"UTC]" OR message:"Europe/Helsinki]" OR message:ERROR|CRIT)

system · March 1, 2023, 7:58am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.