I am trying to teach our Graylog (that collects all logs from an openshift cluster which runs - among other stuff - our containers) to search for errors that contain the string "does not exist" from specific containers but my query doesn't work:
My first attempt was
message: "does not exist" and namespace_name: "foo" and container_name: "bar"
but that seems to expect EXACTLY the string "does not exist" only. In my case, however, the actual error messages read "Object .... with ID .... does not exist. Error-code ....
".
Next attempts were:
message: "*does not exist*" and namespace_name: "foo" and container_name: "bar"
message: ".*does not exist.*" and namespace_name: "foo" and container_name: "bar"
but then I learned, that text within double quotes is taken verbatim, not as regex or interpreting the wildcards. One should omit the double quotes for such strings. But trying with
message: *does not exist* and namespace_name: "foo" and container_name: "bar"
message: .*does not exist.* and namespace_name: "foo" and container_name: "bar"
also did not work. I suspect that's due to the "not" which is here part of the search string.
So, how can I charm Graylog to understand my wish and match for substrings that happen to contain blanks as well as keywords? Not even Graylogs online help gave me a decent answer...