I need to extract all the lines starting with "ORA-" from the logfile which looks like shown below.
Also I need to split the line in two parts the ORA- and the following message .
and the last timestamp before the ORA- message .
how can I do that ?
in the log sample below " ORA-7452: resource plan 'PARALLEL_CONTROL' does not exist" is the error
and the last timestamp was " Fri May 26 14:57:59 2017 "
I want to put "TIMESTAMP","ORA-7452", "resource plan 'PARALLEL_CONTROL' does not exist" in elasticsearch.
this filter does part of the job , it only extracts the lines with ORA-xxxx but since the timestamp is on the previous lines , it doesn't bring that in .
input {
file {
path => "/home/admin/a.log"
start_position => "beginning"
}}
filter {Search for ORA- and create field if match
if [message] =~ /ORA-/ {
grok {
match => [ "message","(?ORA-[0-9]*)" ]
}
} else {
drop { }
}
}
Fri May 26 14:57:58 2017
MTTR advisory is disabled because FAST_START_MTTR_TARGET is not set
Fri May 26 14:57:58 2017
SMON: enabling cache recovery
Fri May 26 14:57:59 2017
minact-scn: Inst 4 is a slave inc#:8 mmon proc-id:14708 status:0x2
minact-scn status: grec-scn:0x0000.00000000 gmin-scn:0x0000.00000000 gcalc-scn:0x0000.00000000
[14760] Successfully onlined Undo Tablespace 751.
Undo initialization finished serial:0 start:3735653022 end:3735654012 diff:990 (9 seconds)
Verifying file header compatibility for 11g tablespace encryption..
Verifying 11g file header compatibility for tablespace encryption completed
SMON: enabling tx recovery
Database Characterset is WE8ISO8859P1
Opening with Resource Manager plan: PARALLEL_CONTROL
ORA-7452: resource plan 'PARALLEL_CONTROL' does not exist
INTERNAL_PLAN is enabled instead
Starting background process GTX0
Fri May 26 14:58:03 2017
GTX0 started with pid=190, OS id=15227
Starting background process RCBG
Fri May 26 14:58:03 2017
RCBG started with pid=191, OS id=15229
replication_dependency_tracking turned off (no async multimaster replication found)
Starting background process QMNC