What is journalctl Filters?

You can use filters with journalctl to narrow down and control which log entries are displayed. journalctl supports a wide range of filtering options, both by structured fields and by command-line flags.

  • Structured Fields: SYSLOG_IDENTIFIER, _SYSTEMD_UNIT, _UID, etc
  • Command-Line Fields: --since, --until, -u, -p, --grep, etc

Common journalctl Filters

Filter TypeExample CommandDescription
By Timejournalctl --since "8 hours ago"Shows logs since a specific time
By Service/Unitjournalctl -u nginx.serverShow logs for a specific server/unit
By Priorityjournalctl -p warningShow logs at/above a certain severity
By Fieldjournalctl SYSLOG_IDENTIFIER=sudoShow logs where a field matches a value
By Bootjournalctl -b -1Shows logs from the previous boot
By Keywordjournalctl --grep "error"Shows logs containing a keyword

Advanced journalctl Filters

Filter TypeExample CommandDescription
By User IDjournalctl _UID=user_idFilter logs by the user ID of the process that generated them
By Group IDjournalctl _GID=group_idFilter logs by the group ID of the process that generated them
By Process IDjournalctl _PID=process_idFilter logs by process ID
By Process namejournalctl _COMM=nginxFilter by process name (eg. _COMM=nginx)
By Hostnamejournalctl _HOSTNAME=hostnameFilter logs by hostname
By Executable Pathjournalctl _EXE=exe_pathFilter logs by executable path (eg: /usr/local/bin/hugo)
By Boot Sessionjournalctl _BOOT_ID=boot_idFilter logs by a specific boot session
By Audit Sessionjournalctl _AUDIT_SESSION=session_idFilter logs by audit session ID
By Syslog Facility Codejournalctl _SYSLOG_FACILITY=facility_numberFilter by syslog facility code

Alternatively, you can find the available filters in journalctl by using:

journalctl --fields

Example

  1. View logs since yesterday
  2. Filter logs for a specific service
  3. Show only error messages
  4. Filter by time range
  5. Show logs from the previous boot
  6. Filter logs by user
  7. Search for a keyboard
  8. Limit the number of output lines