Group errors messages by type

Ebisu · March 26, 2019, 2:02pm

So let's say we have a few dozen different types of error messages in our logs, but with no error codes by which we could easily group them. Those messages have a form that could be parsed by grok like this:

Could not open %{DATA} in %{DATA}
Host %{IP} unreachable

I want to group those messages by type. I know the correct matching expressions, I just don't want what is variable about them in my field. For example, two messages Host 196.138.2.8 unreachable and Host 88.143.7.19 unreachable should both get the string Host _ unreachable in a field error_type in their events.

Could you give me a hint how to best approach this? Is there a shorter way than to use if-clauses and mutate (add_field)?

AquaX · March 26, 2019, 6:33pm

You could setup multiple grok filters and patterns and add a tag for each one that matches. Asuming, of course, that each error message is unique enough for there to be grok patterns that are specific enough for each kind of error message.

system · April 23, 2019, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.