Is this a right filter?

filter {
  if "warning" in "message" {
        mutate {
                add_field => { "error-field" => "An error occured" }
        }
  }
}

Is this right? Because it seems to not be working. If I open Elasticsearch and go into the index to search for the filter if message is *warning* I find some fields, but none contain the error-field.

I also tried it with

  if "warning" in [message] 
  if "warning" in [log_message]
  if "warning" in "log_message"
  

You should use the conditional in this format:

if "warning" in [message] {
    your filters
}

This will work if you have the string warning in the field message.

Can you share an example of your document that it is not working?

Oct 21 15:21:44 M2 dis-f: pkt rx on ifd NULL unit 0
Oct 21 15:21:44 M2 fbc0 pkt rx on ifd NULL unit 0
Oct 21 15:21:46 M1 kernel: rtc4658je_rtc0: RTC ERROR(16): read failed for off:2(len:1)
Oct 21 15:21:46 M1 kernel: rtc4658je_rtc0: SETTIME failed for seconds: error 16
Oct 21 15:21:46 M1 kernel: warning: clock_settime failed (16), time-of-day clock not adjusted to system time

Here are some sample Lines, there is only one warning line. The other look similar to the ones above the warning failure.

Thanks for the help, I will let you know if I could make it work every moment.

You may be best to create a grok pattern for your log entries to look for "warnings".

%{MONTH} %{MONTHDAY} %{TIME} (M1|M2) kernel: %{NOTSPACE:log_level}: %{GREEDYDATA:log_message}

Then you'll get output like this:

{
  "MONTH": [
    [
      "Oct"
    ]
  ],
  "MONTHDAY": [
    [
      "21"
    ]
  ],
  "TIME": [
    [
      "15:21:46"
    ]
  ],
  "HOUR": [
    [
      "15"
    ]
  ],
  "MINUTE": [
    [
      "21"
    ]
  ],
  "SECOND": [
    [
      "46"
    ]
  ],
  "log_level": [
    [
      "warning"
    ]
  ],
  "log_message": [
    [
      "clock_settime failed (16), time-of-day clock not adjusted to system time"
    ]
  ]
}

Then you can create a conditional for your warning message.

filter {
  if "warning" in [log_level] {
        mutate {
                add_field => { "error-field" => "An error occurred" }
        }
  }
}

That works just fine. Thank you very much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.