Unable to search Logs with String

Graylog Central (peer support)
,
1

Description of your problem

I want to get all logs which has error but not the line which has error after subj:"

example:
full_message is "2021-09-29T17:30:28+10:00 ERROR admin: subj: user has an Exception "

Description of steps you’ve taken to attempt to solve the issue

Graylog 4.0

Environmental information

2

Hello && Welcome

I might be able to help.
If you want to extract message with an ERROR you can do it a couple ways.

  1. Create an extractor on your INPUT (GROK, REGEX, etc…).
    Extractors — Graylog 4.1.0 documentation

Here is an example of REGEX using this ERROR\s(\w+)

image
image1920×1040 121 KB

This site can help you.

  1. You can use a Pipeline to get the data you need from full_message field.
    Pipelines — Graylog 4.1.0 documentation

Maybe something like this below, not sure all what you want. In this example it will get ERROR from full_message make field called ERROR and place data under that field with admin. You can fine tune it to your needs.

rule "Log Error"
when
   contains (to_string($message.full_message), "ERROR")
then
   set_field("ERROR", true);
end

rule "Some rule"
when 
   to_string($message.ERROR) == "true"
then
    set_field("ERROR","admin");
end

Hope that helps

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.