What is the correct way to type the Condition's VALUE


Appreciate if anyone can help me in order to identify how to type the correct value in the condition in order to match the log and receive the notification mail.

Also, Is there is any way to use SQL Expressions in this field ?? to be more fixable matching on things or excluding things.

Here is the log message:

I used all the below from the message but all of them didn’t match and no mail sent.

Below is a sample of what I used


Try to enable allow_leading_wildcard_searches = true if you want to use * in beginning of your search in /etc/graylog/server/server.conf


Hello shoothub :slight_smile:

It’s fine for me not to use * at the beginning, just I want to know the best way to use this VALUE field. In syslog I was able to use SQL expressions to match on a specific log and it was too rich as I can filter based on [ XX or YY ], [ XX and YY] at the same condition and so on.

You can of course use OR expression, like: RX_PWR_L_ALARM OR TX_PWR_L_ALARM

Best way to debug alarm expression is to first use normal search.

I’m using this value in Syslog using SQL Exp. such as the below:

Here to get notification when the Syslog receives [status of the peer 10.10.10] or [status of the peer 10.8.8]:
message LIKE ‘%status of the peer 10.10.10%’ or message LIKE ‘%status of the peer 10.8.8%’

And here if it receives any logs containing SRM excluding logs with TEMPO & TEMPR
message LIKE ‘%SRM%’ and message NOT LIKE ‘%TEMPO%’ and message NOT LIKE '%TEMPR%'

How to map this SQL Exp. to OR Exp. ?

Graylog is not working like this (SQL). Elastic search DB is not a full text search, but uses tokenizer (standard tokenizer by default) to analyze data, and you can search only by analyzed data.

It uses Lucene syntax for search:


So if you enable allow_leading_wildcard_searches = true you can search also inside words with * But beware, that it can use lot of memory and cpu power.

So you can use:
message:*SRM* AND NOT message:*TEMPO* AND NOT message:*TEMPR*
or simple:

"status of the peer" AND (10.10.10* OR 10.8.8*)

Thanks for your feedback!
I don’t want to use * not to affect the server’s memory and cpu.

Let’s say I have the below log messages:
Jul 7 2020 22:04:48 UTO-NPE-NE40E-01 %%01SRM/4/CPUMEMALARM(l):Board 9 CPU usage is Upper than threshold.
Jul 7 2020 15:30:14 CFC-UPE-NE40E-X8-01 SRM_BASE/2/PORTPHYSICALUP: OID Physical state of the port changes to up.

As you can see SRM is within other characters without any spaces, when I use SRM or “SRM” in the VALUE field, the match not happen and so I don’t receive any emails.

How to match on a string such as SRM in the above examples ?

Probably best way is to use regex, you have more options:

  1. /[0-9]+SRM/ - one or more numbers followed by SRM (matches 1. message)
  2. /[0-9]{2}SRM/ - 2 numbers followed by SRM (matches 1. message)
  3. /[0-9]*SRM(_BASE)?/ - match both messages (zero or more numbers optional + SRM + optional _BASE )
  4. /[0-9]*SRM[a-z_]*/ - more general regex, match both mesages (zero or more numbers optional + SRM + string optional)
    5./[0-9]*SRM[a-z0-9_]*/ - even more general regex, match both mesages (zero or more numbers optional + SRM + string or numeric optional)

Actually I checked the server.conf and found out that we’re activating the option allow_leading_wildcard_searches = true.

But it seems to be working on the normal search in the GUI only as below snap

But it seems to be not the case while using it in the field VALUE in the Condition configuration as below.

You probably use older version of graylog. So try to change Value to:

I only guess, i couldn’t test it on such old version…

The same my friend, I tried both.

Also I tried to use /[0-9]*SRM[a-z0-9_]*/ but didn’t receive messages as well.

maybe older versions of graylog behave differently than newer one… i can’t confirm.

1 Like

Many thanks shoothub for your usal support.
Note: I’m using Graylog 2.4.0

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.