On Tue, Apr 5, 2022 at 3:22 PM Ulrich Windl <Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx> wrote:
>>> Mantas Mikulenas <grawity@xxxxxxxxx> schrieb am 05.04.2022 um 11:08 in
Nachricht
<CAPWNY8WgSRW2ewb3Fu+_XVdo7=C1m8YobWELsF3OE62pJ6vHhA@xxxxxxxxxxxxxx>:
> On Tue, Apr 5, 2022 at 9:36 AM Ulrich Windl <
> Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Hi!
>>
>> I have two questions for "journalctl -b -g logrotate":
>>
>> 1) I'm unsure what the exact rules for matching a "-g _expression_" are:
>> Some kernel messages are matched, others not.
>>
>
> All entries with a MESSAGE= are matched (after doing until/since/boot-id
> checks). They might still be hidden for other reasons though, e.g. messages
> containing weird escape characters (or accidental binary data) will be
> hidden unless you use -a.
And how do I find out whether a kernel message has a MESSAGE=?
Messages from kernel (kmsg) or from syslog always do, it's only userspace messages from sd_journal_send() that might not have one. (Though if it shows up in journalctl, then obviously it has a message.) Try different `-o` modes though to see what fields each log entry actually has.
As soon as I add _MESSAGE= I get no output any more (even with MESSAGE=.*).
It's MESSAGE, not _MESSAGE, and there's no regex support for this kind of match. Journalctl can't search for "all entries that contain this key" unfortunately. (Would be useful though.)
Mantas Mikulėnas
