Drill: Filter Journal Entries by Time, Unit, and Priority

Goal

Use journalctl to filter systemd journal entries by time range, service unit, and log priority level.

Setup

• A Linux system running systemd with journald active
• Root or a user in the systemd-journal group

Commands

View logs from the last hour:

journalctl --since "1 hour ago"

View logs in a specific time window:

journalctl --since "2025-03-01 08:00:00" --until "2025-03-01 12:00:00"

Filter by a specific unit (service):

journalctl -u sshd.service --since today

Filter by priority (0=emerg through 7=debug):

journalctl -p err          # show err and above (crit, alert, emerg)
journalctl -p warning..err # show warnings through errors only

Combine filters for targeted investigation:

journalctl -u nginx.service -p warning --since "30 min ago" --no-pager

Follow logs in real time for a unit:

journalctl -u kubelet.service -f

Output as JSON for scripting:

journalctl -u sshd.service -o json-pretty --since today

What to Look For

• Timestamps narrow the output to your incident window
• Priority filters eliminate noise from info/debug messages
• Unit filters isolate a single service's logs from the full journal
• JSON output includes metadata fields not shown in default format

Common Mistakes

• Forgetting quotes around time expressions like "1 hour ago"
• Using -p info when you want to reduce noise (info shows everything info and above)
• Not using --no-pager in scripts, causing journalctl to hang waiting for input
• Confusing --since today (midnight) with --since "1 hour ago"

Cleanup

No cleanup needed. journalctl is read-only by default.