Extract string from GREEDYDATA

lemospt · May 20, 2024, 6:05pm

Hi,

my log message is already parsed in a grok filter and i have greedy data, in some messages the greedy data has an oracle error code, and i want to create a new field with this error code. The error code could be at any point of the message.
Below two examples,

[Execute failed for 'CALL sp_apn_dedicated(?,?,?,?)': ORA-06553: PLS-306: wrong number or types of arguments in call to 'SP_APN_DEDICATED' (DBD ERROR: error possibly near <*> indicator at char 5 in 'CALL <*>sp_apn_dedicated(:p1,:p2,:p3,:p4)')]

[Could not connect to SQL database with DBI->connect dbi:Oracle:HOST=oracle-trehs-gread;PORT=1521;SERVICE_NAME=gfs01, AA, **obscured**: ORA-12170: TNS:Connect timeout occurred (DBD ERROR: OCIServerAttach)]

in these two examples want a new field with ORA-\d+ (ORA-12170 and ORA-06553)

Any ideas how was the best filter to do this?

Thanks in advance for your help.

Badger · May 20, 2024, 6:45pm

Use grok with a custom pattern

grok { match => { "yourFieldName" => "\b(?<oraError>ORA-\d+)" } }

Note the \b to prevent the pattern matching DORA (I once saw an alert wake folks up in the middle of the night because a pattern meant to match Oracle errors matched the name DORA-ANN).

lemospt · May 21, 2024, 9:30am

thanks a lot for the help.
It works like expected.
A question, what '\b' do in this case?

Thanks.

Badger · May 21, 2024, 10:30am

\b matches a word boundary, that is, ORA- must occur at the start of a word. So it matches

 ORA-01034: Oracle not available

on a line by itself, or an error embedded in a line

Request failed -- ORA-00054: resource busy and acquire with NOWAIT specified

but it will not match the pattern inside a word

AHORA-1, 2!

lemospt · May 21, 2024, 3:29pm

got it and makes sense.

Thanks for the clarification.