How to create different actions for different log patterns by grok

rijinmp · May 24, 2019, 10:03am

Hi All ,

I have a log set . Only the time stamp is the common factor . All other part of the log is some java errors . Doesn't have any common structure. I am categorizing the error types by particular word's presence in the log . I need to take some actions based on the error types.

Example detected grok patterns

%{TIMESTAMP_ISO8601:Date}%{GREEDYDATA:Log}ABCD%{GREEDYDATA:Log}KLM%{GREEDYDATA:Log}
%{TIMESTAMP_ISO8601:Date}%{GREEDYDATA:Log}1234%{GREEDYDATA:Log}89%{GREEDYDATA:Log}
%{TIMESTAMP_ISO8601:Date}%{GREEDYDATA:Log}XXX%{GREEDYDATA:Log}YYY%{GREEDYDATA:Log}

How can I create actions for these three types of patterns?

Example

if pattern 1
Then
mutate {
add_field => { "Error_Type" => "ABCD" }
add_field => { "Caused_By" => "KLM"}
}

if pattern 2
Then
mutate {
add_field => { "Error_Type" => "1234" }
add_field => { "Caused_By" => "89"}
}

pastechecker · May 24, 2019, 10:08am

Try the following approach:

grok {
break_on_match => true
match => { "field" => "%{TIMESTAMP_ISO8601:Date}%{GREEDYDATA:Log}ABCD%{GREEDYDATA:Log}KLM%{GREEDYDATA:Log}"}
add_tag => "tag1"
}


if [tags] =~ /tag1/{
mutate {
add_field => { "Error_Type" => "1234" }
add_field => { "Caused_By" => "89"}
}
}

Think also about anchoring your patterns with ^ and $.

rijinmp · May 24, 2019, 10:12am

@pastechecker

Thank you so much . Trying this solution

rijinmp · May 24, 2019, 10:32am

How can I check the 3 patterns same time ?

(Nested if or else if condition )

pastechecker · May 24, 2019, 11:13am

if [tags] =~ /tag1|tag2|tag3/{}

system · June 21, 2019, 11:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.