I've probably had an ambient awareness of journalctl's --since option to show the systemd journal since some particular time ever since I read enough of the manpage to find options like '-u' (used to see only logs for a single unit) and '-b' (used to select which system boot you want to start from). But for a long time I didn't really use it, even when I mentioned it in my entry on '-u'. Recently that's been changing and I've been finding myself using --since more and more often, generally in two different situations.

The most obvious and straightforward situation is when I know that something odd happened on a system at a particular time and I want to look at the logs around that time. I typically pick a --since time a bit before the event's time, usually only a few minutes but sometimes more. On the one hand, the earlier you pick for --since, the more potentially irrelevant log messages you have to skip through; on the other hand, you can't scroll back to look at logs before your --since (not without quitting and restarting), so I want to make sure it's definitely going to have any early warning messages.

The other case is when I really want to start at the most recent messages and scroll backward. I used to use the old standby of 'journalctl -b0' followed by the less 'G' command to go to the end, but that can be slow, especially if the system didn't boot all that recently. Using a somewhat recent --since generally makes this much faster at the cost of limiting how far back I can scroll (which usually isn't an issue). Here I should make more use of systemd's relative time units (see systemd.time for details), for example '--since -4h', rather than looking at the current time and then specifying something a bit in the past.

I could use 'journalctl -r' for this, which shows the journal in reverse order, but for some reason my brain is happier seeing logs in their normal forward order and paging backward. Part of this is that the systemd journal is the only form of logs that I can actually look at in reverse; for all of the file-based logs I look at, I have no choice but to jump to the end and page backward.

In both cases, how far back I go depends partly on my guess or knowledge of how busy the journal is. If this is a system with busy logs, there's not much point in going very far back from what I'm interested in because I'll never look at all that volume.

(Log volume is quite variable on our systems for various reasons. Some systems have popular services that are exposed to the entire world, for example our IMAP servers, while others have low activity and don't have anything externally accessible, not even SSH. The latter systems tend to see ongoing log activity mostly from frequent cron jobs.)