How do you use systemd's journalctl patterns

systemd arch-linux journald

79,502

Solution 1

This was a doc bug that was closed when the typo in the man page was updated.

The bug report led to the following comments in the code:

We don't actually accept patterns, hence don't claim so.

As a workaround, you may be able to use grep as suggested in the comments to your question. Something like this:

journalctl | grep sshd

Solution 2

journalctl -v 239 supports filtering with -g

From journactl man page

   -g, --grep=
       Filter output to entries where the MESSAGE= field matches the
       specified regular expression. PERL-compatible regular
       expressions are used, see pcre2pattern(3) for a detailed
       description of the syntax.

       If the pattern is all lowercase, matching is case
       insensitive. Otherwise, matching is case sensitive. This can
       be overridden with the --case-sensitive option, see below.

Solution 3

The original question titles "How do you use systemd's journalctl patterns". This points to a very specific feature of the journalctl called "MATCHES" rather than a generic regular expression filtering.

The "MATCHES" feature is fully detailed along with all other features at its friendly man page which states at its very beginning:

If one or more match arguments are passed, the output is filtered accordingly.

The "matches" feature is meant to filter the log entries out based upon a number of possible filters.

For cases like the one in the original question, this is how I do (I do run ArchLinux too).

First, you need to know the service name you are interested in. I usually do this:

systemctl | grep sshd

I get this:

sshd.service       loaded active running   OpenSSH Daemon

Then you can ask journalctl to filter by the "systemd unit name" like this:

journalctl _SYSTEMD_UNIT=sshd.service

It's called "the matches filtering". That'd be it.

In case the original question was written instead to mean "how to apply grep to journalctl output", then you can either apply grep to the logs stored "so far" with

journalctl | grep ssh

or look at the currently incoming log entries with

journalctl -f | grep ssh

and hit CTRL-C to stop the flow. Of course, you can use more complex pipes with either finer grained regular patterns or multiple grep commands.

79,502

Mark Grimes

Updated on September 18, 2022

Comments

Mark Grimes over 1 year
I am trying to use journalctl's pattern matching on SYSLOG_IDENTIFIERS. As an example, I have a ton of message tagged sshd:
```
$ journalctl -t sshd | wc -l
987
```
but if I try to use pattern matching to find them:
```
$ journalctl -t 'ssh*'
-- No Entries --
$ journalctl -t 'ssh.*'
-- No Entries --
```
The journalctl man page says patterns should work, but I can't find anything else about how patterns are used/defined in systemd.
```
$ man journalctl
....
-t, --identifier=SYSLOG_IDENTIFIER|PATTERN
       Show messages for the specified syslog identifier SYSLOG_IDENTIFIER,
       or for any of the messages with a "SYSLOG_IDENTIFIER" matched by PATTERN.
```
I'm running ArchLinux:
```
$ journalctl --version
systemd 225
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN
```
- Mark Grimes over 8 years
  
  Based on discussions on IRC, it seems this is a bug (or an issues with the documentation). A bug has been filed.
- nexoma over 8 years
  
  try this for realtime: journalctl -f | grep sshd
- sivann over 5 years
  
  You can actually add multiple -t <identifier> if that suits you.
- gavenkoa almost 3 years
  
  Opened another report for enabling pattern support for syslog identities: github.com/systemd/systemd/issues/20457
Merlijn Sebrechts almost 6 years

This answer doesn't address the question. The user is asking for using patterns in a filter.
Mark Grimes over 5 years

Thanks for the response, but _SYTEMD_UNIT doesn't accept patterns. As mentioned in my comment and @Tim's answer, this was a bug in the docs.
EnzoR over 5 years

@MarkGrimes, At least for me (systemd 239) it works. I always test what I say before writing it down. It works as documented.
Mark Grimes over 5 years

The question is about using patterns, for example ssh*. The journalctl docs stated that this was possible at one time. The docs were incorrect and have been updated.
EnzoR over 5 years

@MarkGrimes The question is about systemd's journalctl patterns not any character pattern. Please see my updated answer. And it works under ArchLinux exactly as documented.
reinierpost almost 3 years

You must be joking. I can't find an explanation of what PATTERN may be anywhere in that man page.
EnzoR almost 3 years

@reinierpost What does your systems says when you run journalctl _SYSTEMD_UNIT=sshd.service ? Mine is filtering out the logs by that specific unit.
reinierpost almost 3 years

@EnzoR So is mine (and on my Ubuntu system, the service is called ssh), but how does that help us understand which patterns can be used?
EnzoR almost 3 years

@reinierpost No way AFAIK. I still prefer the old-fashioned text-based freely-available syslog. But I cannot fight the whole world. Documentation is lagging behind, at best, and is totally misleading and wrong at worst. Now the manpage says: --identifier=SYSLOG_IDENTIFIER. They removed the pattern and solved the problem.
EnzoR almost 3 years

@MarkGrimes There is another (tongue in cheek) bug in the docs for the --unit option. Current manual says -u, --unit=UNIT|PATTERN ... . I am not sure then how to query the journal if you don't have a precise unit name. Think for example about ssh/sshd. Without patterns you need to provide a precise match. And a prior scan of all the jorunal with a grep seems very inefficient and old-fashioned way of working.
Admin about 2 years

This is what I was actually looking for. Having used the wrong search terms, I ended up here but found this. Thx.