如何使用过滤器排除 journalctl 条目?

如何使用过滤器排除 journalctl 条目?

请考虑此 journalctl 输出中的以下三个条目(为完整性起见,已启用 json 输出和调试模式):

SYSTEMD_LOG_LEVEL=debug journalctl -o json -u docker --since '1 hour ago'
Root directory /run/log/journal added.
Considering /run/log/journal/de1e08ac57af453bacab3cc9875b12b9.
Directory /run/log/journal/de1e08ac57af453bacab3cc9875b12b9 added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001022a21-00054cd4f00adc68.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-000000000101fcf0-00054cd199b0289f.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-000000000101cd35-00054ccd960f91a8.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001019c1d-00054ccab4dac8d5.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001016ae3-00054cc7d76493eb.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-00000000010139aa-00054cc4212faa29.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001010d45-00054cbe6893a794.journal added.
Considering /run/log/journal/c811c8a6e38845669ba5607794d4b425.
Directory /run/log/journal/c811c8a6e38845669ba5607794d4b425 added.
File /run/log/journal/c811c8a6e38845669ba5607794d4b425/system.journal added.
Journal filter: ((OBJECT_SYSTEMD_UNIT=docker.service AND _UID=0) OR (UNIT=docker.service AND _PID=1) OR (COREDUMP_UNIT=docker.service AND _UID=0 AND MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1) OR _SYSTEMD_UNIT=docker.service)
{ "__CURSOR" : "s=7bea274da69540c8b1676a1cd030f6ee;i=10260ef;b=15e9d32e03844e279dc0fcce7cb3c223;m=77b2f462910;t=54cd75d2cca7e;x=c30fbcda999df142", "__REALTIME_TIMESTAMP" : "1491862748449406", "__MONOTONIC_TIMESTAMP" : "8225655499024", "_BOOT_ID" : "15e9d32e03844e279dc0fcce7cb3c223", "_UID" : "0", "_GID" : "0", "_MACHINE_ID" : "de1e08ac57af453bacab3cc9875b12b9", "_HOSTNAME" : "bnode1", "_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_SLICE" : "system.slice", "PRIORITY" : "6", "_TRANSPORT" : "journal", "MESSAGE" : "http: TLS handshake error from 172.17.0.4:59426: tls: first record does not look like a TLS handshake\n", "PACKAGE" : "", "SYSLOG_IDENTIFIER" : "dockerd", "_PID" : "23542", "_COMM" : "dockerd", "_EXE" : "/usr/bin/dockerd", "_CMDLINE" : "dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver devicemapper --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=digitalocean", "_SYSTEMD_CGROUP" : "/system.slice/docker.service", "_SYSTEMD_UNIT" : "docker.service", "_SOURCE_REALTIME_TIMESTAMP" : "1491862748449026" }
Root directory /run/log/journal removed.
Directory /run/log/journal/c811c8a6e38845669ba5607794d4b425 removed.
Directory /run/log/journal/de1e08ac57af453bacab3cc9875b12b9 removed.
mmap cache statistics: 719 hit, 15 miss
{ "__CURSOR" : "s=7bea274da69540c8b1676a1cd030f6ee;i=10260f0;b=15e9d32e03844e279dc0fcce7cb3c223;m=77b2f465891;t=54cd75d2cf9ff;x=c85ca946535cd15a", "__REALTIME_TIMESTAMP" : "1491862748461567", "__MONOTONIC_TIMESTAMP" : "8225655511185", "_BOOT_ID" : "15e9d32e03844e279dc0fcce7cb3c223", "_UID" : "0", "_GID" : "0", "_MACHINE_ID" : "de1e08ac57af453bacab3cc9875b12b9", "_HOSTNAME" : "bnode1", "_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_SLICE" : "system.slice", "PRIORITY" : "6", "_TRANSPORT" : "journal", "PACKAGE" : "", "SYSLOG_IDENTIFIER" : "dockerd", "_PID" : "23542", "_COMM" : "dockerd", "_EXE" : "/usr/bin/dockerd", "_CMDLINE" : "dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver devicemapper --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=digitalocean", "_SYSTEMD_CGROUP" : "/system.slice/docker.service", "_SYSTEMD_UNIT" : "docker.service", "MESSAGE" : "http: TLS handshake error from 172.17.0.4:59428: tls: client didn't provide a certificate\n", "_SOURCE_REALTIME_TIMESTAMP" : "1491862748461177" }
{ "__CURSOR" : "s=7bea274da69540c8b1676a1cd030f6ee;i=102611c;b=15e9d32e03844e279dc0fcce7cb3c223;m=77b311a8308;t=54cd75f012476;x=25ad24e998bdafaa", "__REALTIME_TIMESTAMP" : "1491862779143286", "__MONOTONIC_TIMESTAMP" : "8225686192904", "_BOOT_ID" : "15e9d32e03844e279dc0fcce7cb3c223", "_UID" : "0", "_GID" : "0", "_MACHINE_ID" : "de1e08ac57af453bacab3cc9875b12b9", "_HOSTNAME" : "bnode1", "_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_SLICE" : "system.slice", "PRIORITY" : "6", "_TRANSPORT" : "journal", "_PID" : "23542", "_COMM" : "dockerd", "_EXE" : "/usr/bin/dockerd", "_CMDLINE" : "dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver devicemapper --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=digitalocean", "_SYSTEMD_CGROUP" : "/system.slice/docker.service", "_SYSTEMD_UNIT" : "docker.service", "MESSAGE" : "hello world", "CONTAINER_TAG" : "5d0ecb10c3c5", "CONTAINER_ID" : "5d0ecb10c3c5", "CONTAINER_ID_FULL" : "5d0ecb10c3c5c51ac912c174f2e5db4e9a9acecd948cfe296d0966936dae584a", "CONTAINER_NAME" : "happy_booth", "_SOURCE_REALTIME_TIMESTAMP" : "1491862779142975" }

我总共有三个条目。其中只有一个有自定义 CONTAINER_ID 字段。

我想构建一个 journalctl 命令来排除包含此特定字段的任何条目。我尝试了以下方法,但无济于事:

SYSTEMD_LOG_LEVEL=debug journalctl -o json -u docker --since '1 hour ago' CONTAINER_ID=
Root directory /run/log/journal added.
Considering /run/log/journal/de1e08ac57af453bacab3cc9875b12b9.
Directory /run/log/journal/de1e08ac57af453bacab3cc9875b12b9 added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001022a21-00054cd4f00adc68.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-000000000101fcf0-00054cd199b0289f.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-000000000101cd35-00054ccd960f91a8.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001019c1d-00054ccab4dac8d5.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001016ae3-00054cc7d76493eb.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-00000000010139aa-00054cc4212faa29.journal added.
File /run/log/journal/de1e08ac57af453bacab3cc9875b12b9/system@7bea274da69540c8b1676a1cd030f6ee-0000000001010d45-00054cbe6893a794.journal added.
Considering /run/log/journal/c811c8a6e38845669ba5607794d4b425.
Directory /run/log/journal/c811c8a6e38845669ba5607794d4b425 added.
File /run/log/journal/c811c8a6e38845669ba5607794d4b425/system.journal added.
Journal filter: (CONTAINER_ID= AND ((OBJECT_SYSTEMD_UNIT=docker.service AND _UID=0) OR (UNIT=docker.service AND _PID=1) OR (COREDUMP_UNIT=docker.service AND _UID=0 AND MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1) OR _SYSTEMD_UNIT=docker.service))
Directory /run/log/journal/c811c8a6e38845669ba5607794d4b425 removed.
Directory /run/log/journal/de1e08ac57af453bacab3cc9875b12b9 removed.
Root directory /run/log/journal removed.
mmap cache statistics: 16 hit, 12 miss

将过滤器设置为CONTAINER_ID=将返回項目。

有没有办法告诉journalctl只匹配不要有田地吗?

journalctl 手册页似乎没有列出包含此用例的示例。

答案1

不,不支持排除/否定过滤器。目前,journalctl您必须通过jq或常规来过滤结果。grep

答案2

如果文本输出中包含,则可以使用它grep进行简单的逆匹配:-v / --invert-matchCONTAINER_ID

journalctl -u docker -o cat --no-pager | grep -v "5d0ecb10c3c5"

对于更高级的过滤,最好使用json输出:

journalctl -u docker -b -o json | jq -C . | less -R

您可以按照@programmerq 的建议过滤消息:

journalctl -u docker -o json | jq -cr 'select(has("CONTAINER_ID") | not) | .MESSAGE'

相关内容