I have centralized journals from different hosts to a central log server with systemd-journal-remote link to software. All journals are stored remotely in a file per host. Now I'd like to search in all of these journals with journalctl in case of an error that has occured.
So let's say I want look for the error message in all four journal files. I do so with:
journalctl -r --file=remote-10.0.0.1.journal --file=remote-10.0.0.2.journal --file=remote-10.0.0.3.journal --file=remote-10.0.0.4.journal --grep=<my_error_msg>
That works just fine. Problem is that the output is barely readable because of boot messages cluttering up the output:
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
-- Boot 6e509dc14176465c975d564b1ac114cd --
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
-- Boot 6e509dc14176465c975d564b1ac114cd --
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
-- Boot 6e509dc14176465c975d564b1ac114cd --
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
Dec 21 15:34:01 webserver-01 CRON[444444]: (root) CMD ((/var/www/heartbeat.sh "<my_error_msg>"))
-- Boot 6e509dc14176465c975d564b1ac114cd --
Dec 21 15:51:08 webserver-02 CRON[232323]: (root) CMD ((/var/www/heartbeat.sh "<my_error_msg>"))
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
-- Boot 6e509dc14176465c975d564b1ac114cd --
-- Boot 9cb37f3f1f0f49c1a6c7aeafdc9ba9bf --
I guess the reason for this is because all boots of all hosts respected. I assume this because the output stays the same if I add the --boot all option. If I know want to reduce the journal entries to "since last boot" only I'd add the -b 0 option. Problem: it gives me the results of the latest boot–i.e. the host which has bootet the last.
Is there a way get entries of all hosts after last boot? Or does anyone has a better idea to search through more than one journal for <text_string>?
