Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Exclude lines in less (or journalctl)

Published: 23-05-2021 | Author: Remy van Elst | Text only version of this article


This is a small tip I want to give you when using a less based pager, for example in journalctl or when viewing a file interactively with less or more. You can exclude certain lines that match one or multiple words (or a regex) with a few keystrokes, once less is open. This is one of those tips you never knew you needed, but when you know it, you'll use it frequently. Like in my case today when searching through some logfiles to find out why my database stopped working.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

Once your file is open in less (or journalctl) press the following keys:

Ampersand opens the pattern matching mode, exclamation mark tells less to exclude the following part, and then you enter your search term.

Here is a picture showing it in action:

gif of exclude in less

(Here's a guide how to make such screen recordings with ffmpeg.)

To make this even more useful, if you have presses &!. you can press UP to get your last command. Want to exclude another word? Just add a pipe to it. Example to exclude both cron and sshd:

&!cron|sshd

As these are just simple regexes, imagine the rest you can do. More information can be found in the manpage of less:

&pattern

Display only lines which match the pattern; lines which do not match the pattern are not displayed.  
If pattern is empty (if you type & immediately followed by ENTER), any filtering is turned off, and 
all lines are displayed.  While filtering is in effect, an ampersand is displayed at the beginning 
of the prompt, as a reminder that some lines in the file may be hidden.

Certain characters are special as in the / command+:

^N or !
    Display only lines which do NOT match the pattern.

The pattern is a regular expression, as recognized by the regular expression library supplied by 
your system.

I was troubleshooting why my RSS reader (miniflux) stopped working, it gave an error telling me it couldn't connect to the database. Turns out the VPS had run out of memory a day earlier and the database was hit by the out-of-memory (OOM) killer. By excluding all irrelevant stuff I was able to figure out really quickly what the actual error was:

May 23 03:00:49 s1 kernel: Out of memory: Kill process 18545 (postgres) score 140 or sacrifice child
May 23 03:00:49 s1 kernel: Killed process 18545 (postgres) total-vm:320656kB, anon-rss:2068kB, file-rss:1088kB, shmem-rss:137824kB
May 23 03:00:49 s1 kernel: oom_reaper: reaped process 18545 (postgres), now anon-rss:0kB, file-rss:0kB, shmem-rss:137824kB
May 23 03:00:49 s1 kernel: python invoked oom-killer: gfp_mask=0x14200ca(GFP_HIGHUSER_MOVABLE), nodemask=(null), order=0, oom_score_adj=0

Earlier on in the log I could find out which process was the culprit to actually invoke the OOM killer, that has been resolved with some config file tweaking.

Tags: bash , journalctl , less , more , regex , snippets