Reputation: 1634
How to search multiple strings in same entry in Loki
Im trying to filter out log entries which matche two strings given. The log entries are not json compatible so it cannot be parsed to json. Example log entry looks like
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer : 20] some other text[player : 123456]
I'm trying to filter all the entries which has both customer: 20 and player : 123456.
I tried
{app="xx",filename="xx.log"} |~ "(.*customer : 20 | player : 123456.*)"
{app="xx",filename="xx.log"} |~ "(customer : 20 | player : 123456)"
{app="xx",filename="xx.log"} |~ ".*customer : 20.* .*player : 123456*."
but none of these above helped me to get the entries which has both these values. any idea ? Thanks
Upvotes: 5
Views: 12472
Answers (2)
Reputation: 78
To query for multiple terms with LogQL do the following
{job="JOB_NAME"} |= `KEY_TERM_1` |= `KEY_TERM_2`
Or in your specific case
{app="xx",filename="xx.log"} |= "customer : 20" |= "player : 123456"
Upvotes: 1
Reputation: 388
I think you just need to specify the filter message that you wanted, and accept any string in between your targeted message string.
You can try this filter:
{app="xx",filename="xx.log"} |~".*customer : 20.*player : 123456.*|.*player : 123456.*customer : 20.*"
Basically this one will match any log that contain customer : 20 and player : 123456 in any order which one is first and which one is last. Example matched log:
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer : 20] some other text[player : 123456]
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [player : 123456] some other 2 text[customer : 20]
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer : 20][player : 123456] some other 3 text
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [player : 123456][customer : 20] some other 4 text
but this will not match this log
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer: 20] some other text[player: 123456]
because the specified string is customer : 20 (with space) but the log is not having space customer: 20. Same with the player text.
But, if you don't want to add the ability to switch place of the string customer : 20 and player : 123456 you can simpliy use this filter:
{app="xx",filename="xx.log"} |~".*customer : 20.*player : 123456.*"
This will only match this kind of log:
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer : 20] some other text[player : 123456]
[INFO ] (-Worker-10) com.xx.yy.logging.UserLog Ys5morE1Kd8AkGxysKiNQgAAAsY - [customer : 20][player : 123456] some other 3 text
Upvotes: 0
Related Questions
- Grafana/Loki: How to use multi-select template variable with LogQL?
- Loki query to show all logs
- Loki json logs filter by detected fields from grafana
- Grafana Loki total number of a specific log message
- in Grafana how to pass a search query to search two strings with OR operator in logs?
- How to search for multiple strings in logs using aws cloudwatch log insights query?
- Regexp JSON filtering in LogQL
- How to query on multiple similar string values using "contains" in Azure Log Analytics?
- How to look for a log entry in kibana without filtering out other ones?
- Query multiple strings in a field in kibana3?