How do you use systemd's journalctl patterns
Solution 1
This was a doc bug that was closed when the typo in the man
page was updated.
The bug report led to the following comments in the code:
We don't actually accept patterns, hence don't claim so.
As a workaround, you may be able to use grep
as suggested in the comments to your question. Something like this:
journalctl | grep sshd
Solution 2
journalctl -v 239 supports filtering with -g
From journactl man page
-g, --grep= Filter output to entries where the MESSAGE= field matches the specified regular expression. PERL-compatible regular expressions are used, see pcre2pattern(3) for a detailed description of the syntax. If the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case sensitive. This can be overridden with the --case-sensitive option, see below.
Solution 3
The original question titles "How do you use systemd's journalctl patterns". This points to a very specific feature of the journalctl called "MATCHES" rather than a generic regular expression filtering.
The "MATCHES" feature is fully detailed along with all other features at its friendly man page which states at its very beginning:
If one or more match arguments are passed, the output is filtered accordingly.
The "matches" feature is meant to filter the log entries out based upon a number of possible filters.
For cases like the one in the original question, this is how I do (I do run ArchLinux too).
First, you need to know the service name you are interested in. I usually do this:
systemctl | grep sshd
I get this:
sshd.service loaded active running OpenSSH Daemon
Then you can ask journalctl
to filter by the "systemd unit name" like this:
journalctl _SYSTEMD_UNIT=sshd.service
It's called "the matches filtering". That'd be it.
In case the original question was written instead to mean "how to apply grep
to journalctl output", then you can either apply grep
to the logs stored "so far" with
journalctl | grep ssh
or look at the currently incoming log entries with
journalctl -f | grep ssh
and hit CTRL-C to stop the flow. Of course, you can use more complex pipes with either finer grained regular patterns or multiple grep
commands.
Related videos on Youtube
Mark Grimes
Updated on September 18, 2022Comments
-
Mark Grimes over 1 year
I am trying to use
journalctl
's pattern matching onSYSLOG_IDENTIFIERS
. As an example, I have a ton of message taggedsshd
:$ journalctl -t sshd | wc -l 987
but if I try to use pattern matching to find them:
$ journalctl -t 'ssh*' -- No Entries -- $ journalctl -t 'ssh.*' -- No Entries --
The journalctl man page says patterns should work, but I can't find anything else about how patterns are used/defined in systemd.
$ man journalctl .... -t, --identifier=SYSLOG_IDENTIFIER|PATTERN Show messages for the specified syslog identifier SYSLOG_IDENTIFIER, or for any of the messages with a "SYSLOG_IDENTIFIER" matched by PATTERN.
I'm running ArchLinux:
$ journalctl --version systemd 225 +PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN
-
Mark Grimes over 8 yearsBased on discussions on IRC, it seems this is a bug (or an issues with the documentation). A bug has been filed.
-
nexoma over 8 yearstry this for realtime: journalctl -f | grep sshd
-
sivann over 5 yearsYou can actually add multiple -t <identifier> if that suits you.
-
gavenkoa almost 3 yearsOpened another report for enabling pattern support for syslog identities: github.com/systemd/systemd/issues/20457
-
-
Merlijn Sebrechts almost 6 yearsThis answer doesn't address the question. The user is asking for using patterns in a filter.
-
Mark Grimes over 5 yearsThanks for the response, but _SYTEMD_UNIT doesn't accept patterns. As mentioned in my comment and @Tim's answer, this was a bug in the docs.
-
EnzoR over 5 years@MarkGrimes, At least for me (systemd 239) it works. I always test what I say before writing it down. It works as documented.
-
Mark Grimes over 5 yearsThe question is about using patterns, for example
ssh*
. The journalctl docs stated that this was possible at one time. The docs were incorrect and have been updated. -
EnzoR over 5 years@MarkGrimes The question is about systemd's journalctl patterns not any character pattern. Please see my updated answer. And it works under ArchLinux exactly as documented.
-
reinierpost almost 3 yearsYou must be joking. I can't find an explanation of what PATTERN may be anywhere in that man page.
-
EnzoR almost 3 years@reinierpost What does your systems says when you run
journalctl _SYSTEMD_UNIT=sshd.service
? Mine is filtering out the logs by that specific unit. -
reinierpost almost 3 years@EnzoR So is mine (and on my Ubuntu system, the service is called
ssh
), but how does that help us understand which patterns can be used? -
EnzoR almost 3 years@reinierpost No way AFAIK. I still prefer the old-fashioned text-based freely-available syslog. But I cannot fight the whole world. Documentation is lagging behind, at best, and is totally misleading and wrong at worst. Now the manpage says:
--identifier=SYSLOG_IDENTIFIER
. They removed the pattern and solved the problem. -
EnzoR almost 3 years@MarkGrimes There is another (tongue in cheek) bug in the docs for the
--unit
option. Current manual says-u, --unit=UNIT|PATTERN ...
. I am not sure then how to query the journal if you don't have a precise unit name. Think for example about ssh/sshd. Without patterns you need to provide a precise match. And a prior scan of all the jorunal with a grep seems very inefficient and old-fashioned way of working. -
Admin about 2 yearsThis is what I was actually looking for. Having used the wrong search terms, I ended up here but found this. Thx.