Graylog Community

Unable to find by substring

Graylog Central (peer support)

Giuseppecal (Giuseppe) February 23, 2023, 3:01pm 1

1. Describe your incident:
Hi,
I just created my first Extractors! I did It to get the “log:” value into my message:

This is an example of my messages:
2023-02-23 15:26:16.537+0100 INFO [0] user:giuseppe.rossi, method:lista, package:com.scffund.job.JobController.lista, log:TOKEN-header decoded: {“typ”: “JWT”,“alg”:“RS256”,“kid”:“-KI3Q9nNR7bRofxmxxxxxxxxxxx”}

My Regular expression Extractor stored on a new field called “log”:
(?<= log:)(.*)(?)

The following queries return no results:

log:TOKEN
log:RS
log:TOKEN
log:NR7bRofxmeZ

I get results only searching by the entire “log” content, i.e.:

log:TOKEN-header decoded: {“typ”:“JWT”,“alg”:“RS256”,“kid”:“-KI3Q9nNR7bRofxmxxxxxxxxxxx”}

what am I doing wrong? what should i do to search for portions of my sentence?

2. Describe your environment:
Red Hat, Inc. 1.8.0_362 on Linux 4.18.0-425.10.1.el8_7.x86_64

Package Version:
Graylog 4.2.8+c9edd92
Service logs, configurations, and environment variables:

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

tmacgbay (Tmacgbay) February 23, 2023, 7:12pm 2

I believe it has to do with your regex. The colon needs to be escaped and best to anchor it to the end of the message $ since I am assuming you want the rest of the data… that reduces the search.

(?<= log\:)(.*$)

1 Like

Giuseppecal (Giuseppe) February 24, 2023, 9:53am 3

Hi @tmacgbay
thank you for your reply!

I verified what you suggested but nothing has changed.

My message:
2023-02-23 16:39:52.167+0100 INFO [1256930] user:xxx.xxx, method:comboTipoData, package:partita.comboTipoData, log:start - params:[[_dc:1677166792042, controller:partita, format:null, action:comboTipoData]]

Queries with zero results:
log:start
log:start*
log:7716679
log:*7716679

the only query that works is:
log:"message_fifty:“start - params:[[_dc:1677166792042, controller:partita, format:null, action:comboTipoData]]”

Thank you all again.
G

tmacgbay (Tmacgbay) February 24, 2023, 3:16pm 4

Looks like I missed what the issue is. If you want to search for a portion of a field you can do it with regex:

log:/.*start.*/

The other option is to break out the log field to its constituent parts, maybe in a pipeline rule… (My preference) and search on the new fields you create.

2 Likes

gsmith (GSmith) February 25, 2023, 3:54am 5

hey,

Did a test in my lab using REGEX to grab a string after the word “package” this was from your log file/s

And the word Log

EDIT:

Widgets created

2 Likes

Giuseppecal (Giuseppe) February 28, 2023, 1:06pm 6

Thank you all for support.

Giuseppe

1 Like

system (system) Closed March 14, 2023, 1:07pm 7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Failed to find a string in message Graylog Central (peer support)	4	1388	April 12, 2019
How to search a complicated string? Graylog Central (peer support)	5	5132	May 30, 2018
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	1018	October 14, 2019
Searching with regexp in graylog does not yield anything Graylog Central (peer support)	21	22853	May 8, 2019
Extractor help needed Graylog Central (peer support)	2	818	March 15, 2021