Beginner question - searching for string containing [] chars

msr · March 23, 2017, 7:52am

I've just installed filebeats and I am trying to configure it to include_lines that contain square brackets. For example, the log file entry would be something like "Storage swapped on [DBName].[TableName1]".

I tried configuring the yml as follows, but this isn't working:
#include_lines: ["^ERR", "^WARN"]
include_lines: ["Storage swapped on [DBName].[TableName1]", "Error", "ERROR"]

If I remove the square brackets from the string it works, but this gives me messages for all tables:
include_lines: ["Storage swapped"]

So I am assuming it's the square brackets it doesn't like? Do I need to escape these characters, and if so how?!

Thanks!

exekias · March 23, 2017, 8:02am

Hi Mark,

include_lines uses regular expressions (take a look to the documentation), most likely you want to escape brackets, using the escape char '':

include_lines: ["Storage swapped on \[DBName\]\.\[TableName1\]", "Error", "ERROR"]

Give it a try

msr · March 23, 2017, 8:30am

Thanks for the prompt response Carlos, but I'm still doing something wrong!

If I put the escape char inside the double quotes like this, the service won't start.

The filebeat_Responses service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

exekias · March 23, 2017, 8:53am

Sorry my bad,

I forgot to switch to single quotes for the regular expression:

include_lines: ['Storage swapped on \[DBName\]\.\[TableName1\]', 'Error', 'ERROR']

msr · March 23, 2017, 10:44am

Ah - that's solved it! Thanks!!

system · April 20, 2017, 10:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.