Grok rewrite field value if matches string

Arthur_Francis · November 23, 2016, 8:58am

Hello,

I am trying to extract a value from a log message that can take various forms, I have the 2 different regex patters which work individually.

if the first regex produces a certain field value I want to rewrite the field with a different regex pattern.

grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
        }
if [exception] =~ "Caused by" {
                grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_LONG:exception}"]
}

the above line did not execute as expected, could somebody please suggest a possible solution?

Much appreciated in advance

Arthur_Francis · November 23, 2016, 4:13pm

I have tried something different, and now running through the logs hopefully will work.

grok {
                patterns_dir => ["./patterns"]
                match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
        }

        if "Caused by" in [exception] {
                mutate {
                    remove_field => "exception"
                }
                grok {
                    patterns_dir => ["./patterns"]
                    match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_LONG:exception}"]
                }
        }

system · December 21, 2016, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mutate - replace field string using another pattern Logstash	3	4286	December 26, 2016
Create new field from existing field using REGEX Logstash	4	1061	November 21, 2019
Grok match regex Logstash	3	245	August 26, 2021
Grok Filter - alternative patterns for same field? Logstash	3	1506	July 24, 2020
Grok regex for a few words Logstash	3	365	February 21, 2020

Grok rewrite field value if matches string

Related topics