Get 10 characters before substring in logstash?

Elastic Stack Logstash
1

Hi,

I want to get the first 10 characters from a string that ends with Exception.
Example: I have field like this:

 "ERRORMESSAGE" => "local exporter [default_local] - failed to delete indice
s\r\nRemoteTransportException[[data-2][10.0.x.x:x300][indices:admin/delete]];
 nested: IndexNotFoundException[no such index];\r\nCaused by: [.marvel-es-1-2017
.06.07] IndexNotFoundException[no such index]\r\n        at org.elasticsearch.cl
uster.metadata.MetaDataDeleteIndexService$1.execute(MetaDataDeleteIndexService.j
ava:91)\r\n        at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(C
lusterStateUpdateTask.java:45)\r\n        at org.elasticsearch.cluster.service.I
nternalClusterService.runTasksForExecutor(InternalClusterService.java:468)\r\n
  at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run
(InternalClusterService.java:772)\r\n        at org.elasticsearch.common.util.co
ncurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndCl
ean(PrioritizedEsThreadPoolExecutor.java:231)\r\n        at org.elasticsearch.co
mmon.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunna
ble.run(PrioritizedEsThreadPoolExecutor.java:194)\r\n        at java.util.concur
rent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\r\n        at ja
va.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\r\
n        at java.lang.Thread.run(Thread.java:745)\r",

Where i need to catch the string that ends with Exception. For that i had used this

grok {
  match => ["ERRORMESSAGE", "(?<ExceptionType>{10}.Exception)"]
}

Where i am finding the first 10 characters of a string that ends with Exception but i am getting this error {:exception=>"RegexpError" . And also other problem is if there are more strings that ends with Exception in ERRORTYPE field then whether above grok produces two or more ExceptionType fields ?

Thanks

2

Hello,

You can use ruby filter.
Example:
ruby {
code => "
new_value = event.get('ERRORMESSAGE')[0..10]
event.set('ERRORMESSAGE',new_value)
"
}

Ali

3

Thanks @R-Ali

But what i want is different i want first 10 characters from a substring in ERRORTYPE field where the substring ends with Exception .

EX: "ERRORTYPE" : "The exception name is INDEXNOTFOUNDException"

Then i need to get "ErrorType" : INDEXNOTFOUNDException

Ref: How do perform string manipulations

Thanks

4

Ah ok.
You can something like this

ruby {
code => "
ERRORTYPE = event.get('ERRORMESSAGE').match('/Exception/')[0]
ERRORTYPE = ERRORTYPE [0..10]
event.set('ERRORTYPE ',ERRORTYPE )
"
}

I'm not sure for the match function (you need to see ruby documentation) But the idea is good :slight_smile:

5

Thanks @R-Ali

It is not showing any error but it is not giving ERRORTYPE field in the output.

Thanks

6

You need to put this code after grok filter
I do some correction :

ruby {
code => "
error_type = event.get('ERRORMESSAGE').match(/Exception/)[0]
error_type = ERRORTYPE [0..10]
event.set('ERRORTYPE ',error_type )
"
}

7

Thanks @R-Ali

I changed my grok like this

 grok {
  match => ["ERRORMESSAGE", "(?<ExceptionType>.{13}Exception)"]
}

And it worked fine. Thanks for helping me.
Thanks

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.