there is a Netapp filer logging its messages into graylog (Netapp cDot). When I search for “offline” to find messages about Luns switched offline, I get a list of messages containing offlined Luns.
When however I search for deleted Luns and I search for “destroy”, I get “nothing found” despite there being many log messages about destroyed Luns.
I suspect it is the “str” substring in “destroy” putting the search off. How do I mask this search string to look for what I want? wrapping in apostrophes and " didn’t work.
The documentation only mentions some special characters to be escaped, not “normal” strings.
The log messages look like this:
Aug 30 17:04:21 10.209.149.61 [netappfiler:LUN.offline:notice]: LUN at path /vol/somevolume/{73c826a3-4539-4e4f-8a70-2a7357f85cbc}.aux in volume somevolume (DSID 1051) has been brought offline.
Aug 30 17:04:19 10.209.149.61 [netappfiler:LUN.destroy:info]: LUN at path /vol/somevolume/{cdbb18e0-4da4-4a44-800b-a5ad9e6e0e89}.aux in volume somevolume (DSID 1050) was destroyed.
how to search your messages highly depends if you do some processing on them and if you create some fields on the content or if you just type what you are searching into the search bar without any more advanced operations.
Hi Jan,
the only processing done is an extractor taking input field 4 (hostname/IP) and use it a source field for all incoming messages,
And as a search for example I click on the stream “all messages” and type my search string into the search field on the top of the page. Searching for “offline” works as intended, searching for “destroy” does not.
as you want to search only via a little part of the string you need to use some regex (*) to get the result. You should get the result you want if you search for destroy* or the word destroyed .
But I still cannot figure out why searching for “offline” (without asterisk) correctly lists all the entries like this: “LUN.offline:notice” while searching for “destroy” needs the trailing asterisk to show the desired results: “LUN.destroy:info”.
Turns out the search for “destroy*” seems to match to the last part of the log entry line: “… was destroyed”, while I thought it should already match to this part of the line: “LUN.destroy:info”. That explains why the asterisk is needed.
Theory: The part “LUN.destroy:info” is between brackets “[ ]” which might not count as the “message” part of the log line. Thus the search does not consider this part for searching. Or so.
