Grok to match all instances

elvarb · September 18, 2017, 2:36pm

When I have a large error message with lots of error Id's I would want to be able to add all those ID's to a new field, a new field used similarly to the tag field.

For example

ORA-12012: error on auto execute of job
ORA-20210: P8460.spool_demon_log Process Que ORA-29532: Java call terminated by uncaught Java exception: java.lang.NoClassDefFoundError
ORA-29532: Java call terminated by uncaught Java exception: java.lang.ExceptionInInitializerError.
ORA-06512: at "Z_ERROR", line 51
ORA-06512: at "X_ERROR", line 8
ORA-06512: at "F80", line 391
ORA-06512: at "F86", line 400
ORA-06512: at line 1

elvarb · September 19, 2017, 9:50am

KV to the rescue!

kv { 
	field_split => " :\n"
	value_split => "-"

}

system · October 17, 2017, 9:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.