Filebeat: Match literal * or ** in messages


(Ken Rogers) #1

I have log files that contain the following:

<15:00:51.504 DBG ...
<15:00:52.173 *WRN* SM ...
<15:00:52.173 **ERR** TSS ...
<15:00:52.173 TRC EWF ...

I would like to drop any messages that do not contain WRN or ERR from filebeats, but I can't figure out how to format my regular expression to do that.

When I use this:

processors:
  - drop_event:
      when:
        not:
          regexp:
            message: " *WRN* | *\*ERR*\* "

I get an error about the unknown escape sequence. If I use single quotes:

processors:
  - drop_event:
      when:
        not:
          regexp:
            message: ' *WRN* | *\*ERR*\* '

I never get any output to logstash.

How can I match both *WRN and ERR successfully?

Best Regards
Ken


(Debashis Mondal) #2

Hi @Krog,

As per my understanding, you want to drop any message that does not contain WRN or ERR.
Hence it implies that you just want to send the WRN and ERR messages to logstash.

you can do it by configuring "include_lines" option

filebeat.prospectors:

  • input_type: log
    include_lines: ["WRN", "ERR"]

(Ken Rogers) #3

Great - Let me try that and hopefully it will work better than trying to use a processor section.

Ken


(Debashis Mondal) #4

Hello @Krog,

If you want to escape * then use \\* . I think it will help you more. :slight_smile:


(Ken Rogers) #5

That's what I ended up doing in the prospectors section:

- type: log
  paths:
    - /Images_Prod/Server1/logs/*
  exclude_files: ['\.gz$']
  include_lines: [' \*WRN\* ',' \*\*ERR\*\* ']

My original thought was to use a processor section but I couldn't figure out how to escape the asterisks and avoid the dreaded unknown escape sequence error.

Your suggestion to use the include_lines directive was a much better solution anyway.

Thank you for the assist.

Regards

Ken


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.