Term "destroy" in searches and patterns not working

Deltatango · 2017-08-30 15:22:49 UTC

Hi all,

there is a Netapp filer logging its messages into graylog (Netapp cDot). When I search for “offline” to find messages about Luns switched offline, I get a list of messages containing offlined Luns.

When however I search for deleted Luns and I search for “destroy”, I get “nothing found” despite there being many log messages about destroyed Luns.

I suspect it is the “str” substring in “destroy” putting the search off. How do I mask this search string to look for what I want? wrapping in apostrophes and " didn’t work.

The documentation only mentions some special characters to be escaped, not “normal” strings.

The log messages look like this:

Aug 30 17:04:21 10.209.149.61 [netappfiler:LUN.offline:notice]: LUN at path /vol/somevolume/{73c826a3-4539-4e4f-8a70-2a7357f85cbc}.aux in volume somevolume (DSID 1051) has been brought offline.

Aug 30 17:04:19 10.209.149.61 [netappfiler:LUN.destroy:info]: LUN at path /vol/somevolume/{cdbb18e0-4da4-4a44-800b-a5ad9e6e0e89}.aux in volume somevolume (DSID 1050) was destroyed.

Thanks in advance!

jan · 2017-08-30 16:12:37 UTC

hej @Deltatango

how to search your messages highly depends if you do some processing on them and if you create some fields on the content or if you just type what you are searching into the search bar without any more advanced operations.

regards
Jan

Deltatango · 2017-08-31 08:08:52 UTC

Hi Jan,
the only processing done is an extractor taking input field 4 (hostname/IP) and use it a source field for all incoming messages,

And as a search for example I click on the stream “all messages” and type my search string into the search field on the top of the page. Searching for “offline” works as intended, searching for “destroy” does not.

jan · 2017-08-31 11:49:14 UTC

@Deltatango

i think you already read the documentation: http://docs.graylog.org/en/2.3/pages/queries.html

as you want to search only via a little part of the string you need to use some regex (*) to get the result. You should get the result you want if you search for destroy* or the word destroyed .

with kind regards
Jan

Deltatango · 2017-09-06 08:59:02 UTC

Thanks Jan, this is actually working.

But I still cannot figure out why searching for “offline” (without asterisk) correctly lists all the entries like this: “LUN.offline:notice” while searching for “destroy” needs the trailing asterisk to show the desired results: “LUN.destroy:info”.

Deltatango · 2017-09-06 10:47:31 UTC

Turns out the search for “destroy*” seems to match to the last part of the log entry line: “… was destroyed”, while I thought it should already match to this part of the line: “LUN.destroy:info”. That explains why the asterisk is needed.

Theory: The part “LUN.destroy:info” is between brackets “[ ]” which might not count as the “message” part of the log line. Thus the search does not consider this part for searching. Or so.

jan · 2017-09-07 15:19:36 UTC

you could check the terms of the message in the detailed message view.

that will show you how the message is seen by Graylog/Elasticsearch

system · 2017-09-21 15:20:03 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.