On Tue, Apr 5, 2022 at 3:22 PM Ulrich Windl < ulrich.wi...@rz.uni-regensburg.de> wrote:
> >>> Mantas Mikulenas <graw...@gmail.com> schrieb am 05.04.2022 um 11:08 in > Nachricht > <CAPWNY8WgSRW2ewb3Fu+_XVdo7=c1m8yobwelsf3oe62pj6v...@mail.gmail.com>: > > On Tue, Apr 5, 2022 at 9:36 AM Ulrich Windl < > > ulrich.wi...@rz.uni-regensburg.de> wrote: > > > >> Hi! > >> > >> I have two questions for "journalctl -b -g logrotate": > >> > >> 1) I'm unsure what the exact rules for matching a "-g expression" are: > >> Some kernel messages are matched, others not. > >> > > > > All entries with a MESSAGE= are matched (after doing until/since/boot-id > > checks). They might still be hidden for other reasons though, e.g. > messages > > containing weird escape characters (or accidental binary data) will be > > hidden unless you use -a. > > And how do I find out whether a kernel message has a MESSAGE=? > Messages from kernel (kmsg) or from syslog always do, it's only userspace messages from sd_journal_send() that might not have one. (Though if it shows up in journalctl, then obviously it has a message.) Try different `-o` modes though to see what fields each log entry actually has. > > As soon as I add _MESSAGE= I get no output any more (even with MESSAGE=.*). > It's MESSAGE, not _MESSAGE, and there's no regex support for this kind of match. Journalctl can't search for "all entries that contain this key" unfortunately. (Would be useful though.) -- Mantas Mikulėnas
