Logstash problem with config regex


Hello all,
I have the following log entry:

2017-08-29 01:10:11.111 [http-noo-111-exe-1] TRACE com.javasystemsolutions.xml.gateway.Actions - The XML Gateway encountered an error. The message was Server with id OPA is not configured.

The template in use was TEST_Create_Incident_elkmonitoring.

The server in use was OPA.

The input XML was
       <summary>Test Monitoring - Summary</summary>
       <notes>Test Monitoring - Summary</notes>
       <product>ELK FAQ</product>
com.javasystemsolutions.xml.gateway.ServerNotFoundException: Server with id OPA is not configured
       at com.javasystemsolutions.xml.gateway.input.PostActions.doPost(PostActions.java:215) [jss-xmlgateway.jar:?]
       at com.javasystemsolutions.xml.gateway.input.PostActions.postAction(PostActions.java:86) [jss-xmlgateway.jar:?]

What I 'm trying to do, is to use regex and identify the text between the incident tags, but as it seems something is wrong although my regular expression works on regex101 website and the configtest returns Configuration OK.
My config is the one below, anyone has an idea of what is wrong? :frowning:

   filter {
	multiline {
      pattern => "(^%{TIMESTAMP_ISO8601})"
      negate => true
      what => "previous"
	if "_grokparsefailure" in [tags] {
      drop { }
	if [host] == "host1" {
		grok {
			match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE} %{LOGLEVEL:Severity} %{GREEDYDATA:log_message}"}
		grok {
			match => ["requested_incident", "(?s)<incident>.+?</incident>"]

Any help/suggestion is more than welcome! :slight_smile:

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.