Hi, I want to check if regex matched in if conditional then extract the line which is matched and add in ES.
if regexMatched
{
add_field for matched lines
}
The syntax for a regex condition is
if [field] =~ /regex/ {
...
}Without more details about your use case that's difficult to answer. Example events and the desired output for these is always helpful.
In general, you'd probalby use grok to extract information oder kv to seperate the lines and process them seperately in a loop in ruby.
here is input file
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
[15119.753902] dhd_check_hang: Event HANG send up due to re=5 te=0 e=-110 s=2
[15119.753917] dhd_check_hang: Event HANG send up due to re=5 te=0 e=-110 s=2
[15119.753937] dhd_prot_ioctl : bus is down. we have nothing to do
[15119.791431] [] (schedule_timeout+0x158/0x25c) from [] (0xea1e0000)
[15119.799331] kworker/3:2 R running 0 29597 2 0x00000000
[15119.805699] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.814384] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.822637] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.830710] kworker/u8:1 S c0ab2fd4 0 29738 2 0x00000000
[15119.837078] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.845763] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.854015] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.862088] kworker/u8:4 S c0ab2fd4 0 29739 2 0x00000000
[15119.868455] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.877140] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.885391] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.893468] Sched Debug Version: v0.10, 3.10.96+ #1
[15119.898337] ktime
and i want to match "dhd_bus_rxctl: rxcnt_timeout" and dump following lines in to ES
After matching regex
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
lines = Array.new
event.get("message").split("\n").each do |line|
lines.push(line) if line =~ /.*dhd_bus_rxctl: rxcnt_timeout.*/
end
event.set("lines", lines)
I think something like that could give you can array with the matching lines. But I have no idea why your second example should be in that list?
@Jenni, instead of using loop and iterating over whole "message" and increasing time complexity.
How can we search only those lines and get it?.
I'm not a Ruby programmer. But maybe using scan would be faster?
event.set("lines", event.get("message").scan(/.*dhd_bus_rxctl: rxcnt_timeout.*/))
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.