Searching in Graylog2 full_message

Question

Is it possible to search in Graylog2 full messages using Quickfilter?

I can successfully search in short messages, but it seems like full messages can be filtered only using streams.

I need to filter old full messages and new stream is applied only to new messages. Is there any solution to this problem?

score 7 · Answer 1 · answered Aug 26 '12 at 16:25

Found a way to search full_message terms:

In "analytics" tab there is analytics shell where you can execute custom commands.

Example:

all.find(full_message="term")

Note from Graylog Analytics Shell instructions:

The fields message and full_message are broken to terms. This means that searches on them do not mean equals [search term] but contains [search term].

score 4 · Accepted Answer · answered Feb 02 '17 at 15:58

4

As of Graylog V2.1.2, the the field full_message can be searched like any other field.

You can directly search full_message:

full_message: "my full message string"

or search across all fields:

"my full message string"

answered Feb 02 '17 at 15:58

sleske

81,358
34
189
227

What are the differences between `message` and `full_message` field? – Kevin Wittek Sep 08 '17 at 09:47
@KevinWittek: Good question. Please do not [ask a new question in a comment](https://meta.stackexchange.com/questions/129616/is-it-ok-to-ask-a-new-related-question-in-the-comments). If you want to ask something, use the "Ask question" button :-). – sleske Sep 08 '17 at 11:25

Searching in Graylog2 full_message

2 Answers2