Filter on a number in a log catch

pir1981 · November 12, 2017, 8:38pm

Hi,

I have a message

filebeat -- ERROR -- Nov 11 23:59:34 server25 smartd[12032]: Device: /dev/sda [SAT], SMART Prefailure Atribute: 1Raw_Read_Error_Rate changes from XX to YY

Where XX is a number and YY is a number i.e. "83 to 77" or "89 to 100"... Both are different most of the time, not just to each other, but to previous messages as well.
I keep getting this message multiple times a day and would like to only get it when YY drops below ... I guess about 50. I am very new to logstash how can I filter out only YY, change ERROR to WARNIG if it is above 50 and otherwise leave it unchanged if below 50.

Thanks

magnusbaeck · November 14, 2017, 6:27am

Use a grok filter to extract the numbers into separate fields, then wrap a conditional around additional filters that e.g. update the loglevel field or whatever it is you want to do.

system · December 12, 2017, 6:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.