Getting Hands-On with journalctl and Advanced Filtering

Posted by Andrew Denner on January 25, 2025 · 2 mins read

  1. INTRODUCTION
    journalctl is your primary command-line interface to retrieve and analyze journald logs. While simple commands like journalctl -n 50 (show 50 latest lines) are helpful, it’s the advanced filtering features that elevate your diagnostic capabilities. This post explains how to slice, dice, and correlate logs quickly, even in highly complex environments.

  2. ESSENTIAL journalctl COMMANDS
    • journalctl -n 20: Shows the last 20 messages.
    • journalctl -f: Follows logs in real time (akin to tail -f for journald).
    • journalctl –since “2025-01-20 09:00:00” –until “2025-01-20 10:00:00”: Time-based filtering for precise forensic analysis.
    • journalctl -p err: Retrieves logs with priority error or higher (err, crit, alert, emerg).

  3. ADVANCED FILTERING
    One of journald’s strongest features is the ability to tag log entries and filter by those tags:

Example: Filter by custom fields (added in your Python code, for instance):
journalctl MONITOR_TYPE=system_stats
journalctl ALERT_LEVEL=critical

Combining multiple fields:
journalctl MONITOR_TYPE=system_stats cpu_percent=”>80” –output=json-pretty

Depending on the shell, you may need quotes or escapes for operators. If direct comparison operators cause trouble, you might transform logs or use tools like jq to post-process JSON output.

  1. WORKED EXAMPLE: INVESTIGATING A MEMORY SPIKE
    Suppose you spot random OOM (Out-Of-Memory) kills on your HPC node. You suspect memory spikes around 3 AM. Combine time-based queries with structured fields:
    journalctl –since “2025-01-20 02:30:00” –until “2025-01-20 03:30:00” MONITOR_TYPE=system_stats memory_percent=”>85”

This command quickly leads you to suspicious processes or containers hogging resources.

  1. HANDY OUTPUT FORMATS
    • journalctl –output=short: Minimal, one-line entries (similar to classic syslog).
    • journalctl –output=json-pretty: Great for piping into jq for further analysis or storing as JSON.
    • journalctl –output=cat: Outputs raw log messages without metadata (helpful for quick reads).

  2. COMMON PITFALLS (“GOTCHAS”)
    • Case Sensitivity: Searching with SERVICE_NAME vs service_name will fail if your logs store the field name in uppercase.
    • Time Parsing: Use “–since ‘-1h’” or “–since ‘1 hour ago’” (not “–since ‘1 hour’”).
    • Spaces in FIELD=VALUE searches: “journalctl MESSAGE=Authentication failed” needs correct quoting: journalctl MESSAGE=”Authentication failed”

  3. CONCLUSION
    Mastering journalctl unlocks powerful capabilities to query large volumes of logs quickly. Whether you’re dealing with HPC, container fleets, or microservices, advanced filtering ensures you find the relevant logs fast.

← Previous Post Next Post