Hi All,
My requirement is to identify all unknown Error present in log file[or may occur in future] for which i am capturing all known Error logs and trying to achieve it using regex along with conditional if.
Problem is it doesn't throw any error but it also doesn't capture and add a tag for the same as expected.
please correct and help me NEW to ELK.Using 6.2.4 version
CODE -Logstash config file
grok
{
match => ["message","<%{DATA:wls_timestamp}> <%{DATA:severity}> <%{DATA:wls_engine}> <%{DATA:wls_errorcode}> <%{GREEDYDATA:wls_logmessage}>"]
}
if "Error" in [severity]
{ #1
if "oracle.soa.adapter" in [wls_engine]
{
if "BEA-000000" in [wls_errorcode]
{
if [wls_logmessage]=="UploadInvoiceToSharepoint[A-Za-z0-9':.[](),\s-_!*]*/u01/mounts/mntNOWBATEU01/PrintQueue/"
#here is the problem which doesn't add a tag please correct me where m i going wrong or best way to do it.
{
mutate
{
add_tag => ["SharepointFileFail"]
}
}
#n no.of known errors maybe
else if {}
else{ # it is error but not from the known list
mutate
{
add_tag => ["Unknown Errors"]
}
}
Sample log message
<Jun 22, 2018 6:30:26 PM UTC> <oracle.soa.adapter> <JCABinding=> UploadInvoiceToSharepointNOWReq:FileSyncReadInvoice [ SynchRead_ptt::SynchRead(Empty,opaque) ] Could not invoke operation 'SynchRead' against the 'file' due to:
BINDING.JCA-11007
No Data to process.
No Data to process.
File /u01/mounts/mntName/PrintQueue/