Searching with regexp in graylog does not yield anything

Hi,
I am trying to find all the logs starting with ‘ERROR’ message. When i use the query 'message:/^ERROR/
it does not gives any result.
can someone tell me how to can this be achieved?

Let me ask the obvious question first: are there actually any messages like that indexed? Because if there’s nothing indexed, there won’t be a result :wink:

But for real now, Lucene implicitly anchors regular expressions (meaning it uses the ^ and $ operators on it’s own), so you may want to try message:/ERROR.*/ instead.

Here’s a link that explains it all - good luck! :slight_smile:

Hi Ben van Staveren There are messages getting indexed. currently it’s writing to “graylog_185” index set.
I tried searching message:/ERROR.*/ but this also gives no result when i try searching in 5 days logs.
I don’t want to use message:ERROR because it will give INFO and WARN messages along wiith ERROR.

Alternatively, set up a pipeline that uses a Grok pattern to extract the log level into it’s own field, then you can do things like log_level:"ERROR" and it’ll all work out okay :slight_smile:

I agree, extract into it’s own field and you’ll probably get more use out of that anyway, but out of curiosity, have you tried message:/.ERROR./ ? (wildcard at start as well)

Can you post a screenshot of a particular message as it’s displayed in the UI?

And of course make sure your search date-time range does include one of these messages :wink:

Hi benvanstaveren,

With grokk pattern it works but the client wants to use regexp search in general for other types of searches as well. Is there anyway i can check if regexp search is enabled? I am searching in all the messages and it is not showing any result.

Hi Lindon,
I tried message:/. ERROR. / but it also not showing any result. any idea why these type of searches are not giving any result?

Sorry Vinay, I think the forum stripped out the wildcards in my previous post.

Try

/.*ERROR.*/

Hi Lindonm,

Thanks for the quick response but /.ERROR./ or message:/.ERROR./ does not gives any result but searching only ERROR does.i have included * wildcard with the search.

Start with the manual, maybe helps a lot.
http://docs.graylog.org/en/3.0/pages/queries.html#escaping

//General forum rules… Edit your post until someone else answer. Why do you need to spam the full topic?

And after that you posted a pic without escape chars…
If you write a pattern you shouldn’t cover the full line. you can forget the .* at the start and the end.

try message:\/\^ERROR\/
// manual…
Also note that `message` , `full_message` , and `source` are the only fields that are being analyzed by default. While wildcard searches (using `*` and `?` ) work on all indexed fields, analyzed fields will behave a little bit different. See [wildcard and regexp queries](https://www.elastic.co/guide/en/elasticsearch/guide/2.x/_wildcard_and_regexp_queries.html) for details.

The above posts have been edited now.
The wildcard search is enabled and still no results.
Why did you use escape character where we only need to search message starting with ERROR. and according to graylog manual message:/^ERROR/ this is sufficient

What happened with the link what I posted?
Have you read it?

Are you able to show us a screenshot with an actual log result? (no search query). Include the column “message” in the output.

Hi lindonm,
This is what the message outpur looks like, specificaly for ERROR message.

Thanks, the regex should definitely work then, this may be a bug. It will need someone who knows a lot more about Graylog, but I wonder if it’s something at the OS level, eg does a grep with regex work on that same system?

Have you tried just a normal wildcard search as opposed to regex? eg:

message:ERROR*

Yes it works but gives many other messages with output.
Example : ! at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
INFO [2019-04-…] some string
DEBUG [2019-04-…] some string]

I wonder if “error” is some kind of key word and should be quoted or escaped?

Try

message:/.*Pandora.*/

Does that return a result? (took that from your screenshot)

It doesn’t . if i search message:Pandora it shows all the logs which have pandora in message.

Then I am out of ideas sorry - Regex should work out of the box. Maybe it’s a version thing, what versions do you have for Graylog & Elasticsearch?