Grok rewrite field value if matches string

Arthur_Francis · November 23, 2016, 8:58am

Hello,

I am trying to extract a value from a log message that can take various forms, I have the 2 different regex patters which work individually.

if the first regex produces a certain field value I want to rewrite the field with a different regex pattern.

grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
        }
if [exception] =~ "Caused by" {
                grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_LONG:exception}"]
}

the above line did not execute as expected, could somebody please suggest a possible solution?

Much appreciated in advance

Arthur_Francis · November 23, 2016, 4:13pm

I have tried something different, and now running through the logs hopefully will work.

grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
        }

        if "Caused by" in [exception] {
                mutate {
                    remove_field => "exception"
                }
                grok {
                    patterns_dir => ["./patterns"]
                    match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_LONG:exception}"]
                }
        }

system · December 21, 2016, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.