Group errors messages by type

Ebisu · March 26, 2019, 2:02pm

So let's say we have a few dozen different types of error messages in our logs, but with no error codes by which we could easily group them. Those messages have a form that could be parsed by grok like this:

Could not open %{DATA} in %{DATA}
Host %{IP} unreachable

I want to group those messages by type. I know the correct matching expressions, I just don't want what is variable about them in my field. For example, two messages Host 196.138.2.8 unreachable and Host 88.143.7.19 unreachable should both get the string Host _ unreachable in a field error_type in their events.

Could you give me a hint how to best approach this? Is there a shorter way than to use if-clauses and mutate (add_field)?

AquaX · March 26, 2019, 6:33pm

You could setup multiple grok filters and patterns and add a tag for each one that matches. Asuming, of course, that each error message is unique enough for there to be grok patterns that are specific enough for each kind of error message.

system · April 23, 2019, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok with multiple matches - can i assign type based on match? Logstash	7	48106	November 4, 2022
How to create different actions for different log patterns by grok Logstash	5	293	June 21, 2019
How to try many grok matches, and take only the one that works? Logstash	4	2348	January 11, 2018
How to parse log file with different types of messages Logstash	2	628	July 6, 2017
GROK parsing totally different log lines Logstash	5	553	November 14, 2019

Group errors messages by type

Related topics