Hello,
I am processing logs for a third party application. I already parsed out a field called "error_message". I know that for some records, there is a error code in the error_message. For example, "ERROR-11-8888", I want to be able to find that specific error code. If it exist in the error_message, I want to get the error code and store it as a new field. What is the best way to do this? Thank you very much for the help.
Use a grok filter.
filter {
grok {
match => ["error_message", "(?<error_code>ERROR-\d+-\d+)"]
}
}
This example makes a few assumptions about what error codes look like so you may need to adjust the regular expression somewhat. You may also want to set the tag_on_failure option to an empty value to avoid tagging events with _grokparsefailure just because there's no error code in the error message—at least if it's okay that there is none.