Filter: error message and string comparison

Hi I have an error message that I would like to drop. But my filter does not seem to ever trigger.

Message

2017-05-23T18:24:47.644Z -- ERROR -- [main] ERROR de.komoot.photon.elasticsearch.Server - cannot install plugin: mobz/elasticsearch-head: java.io.IOException: plugin directory /photon/data/photon_data/elasticsearch/plugins/head already exists. To update the plugin, uninstall it first using --remove mobz/elasticsearch-head command

My various attempts to catch it

 if 'ERROR de.komoot.photon.elasticsearch.Server - cannot install plugin: mobz/elasticsearch-head: java.io.IOException: plugin directory /photon/data/photon_data/elasticsearch/plugins/head already exists.' in [message] {
drop {}
}

if [message] =~ "ERROR de.komoot.photon.elasticsearch.Server \- cannot install plugin\: mobz\/elasticsearch\-head\: java.io.IOException\: plugin directory \/photon\/data\/photon_data\/elasticsearch\/plugins\/head already exists." ...

if 'ERROR de.komoot.photon.elasticsearch.Server \- cannot install plugin\: mobz\/elasticsearch\-head\: java.io.IOException\: plugin directory \/photon\/data\/photon_data\/elasticsearch\/plugins\/head already exists.' in [message]...

 if 'photon' in [message]...

if "photon" in [message] ...

if [message] =~ "photon" ...

if [message] =~ 'photon' ...

I don't seem to be able to find a good explanation on single and double quotes or on regexp vs in. Any help is welcome.

anyone?

@pir1981

You should be able to use something like:-

if [message] =~ / .*ERROR.*de\.komoot\.photon\.elasticsearch\.Server.*/ {
    drop {}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.