Hello all,
I have the following log entry:
2017-08-29 01:10:11.111 [http-noo-111-exe-1] TRACE com.javasystemsolutions.xml.gateway.Actions - The XML Gateway encountered an error. The message was Server with id OPA is not configured.
The template in use was TEST_Create_Incident_elkmonitoring.
The server in use was OPA.
The input XML was
<incident>
<summary>Test Monitoring - Summary</summary>
<notes>Test Monitoring - Summary</notes>
<product>ELK FAQ</product>
</incident>
com.javasystemsolutions.xml.gateway.ServerNotFoundException: Server with id OPA is not configured
at com.javasystemsolutions.xml.gateway.input.PostActions.doPost(PostActions.java:215) [jss-xmlgateway.jar:?]
at com.javasystemsolutions.xml.gateway.input.PostActions.postAction(PostActions.java:86) [jss-xmlgateway.jar:?]
What I 'm trying to do, is to use regex and identify the text between the incident tags, but as it seems something is wrong although my regular expression works on regex101 website and the configtest returns Configuration OK.
My config is the one below, anyone has an idea of what is wrong? 
filter {
multiline {
pattern => "(^%{TIMESTAMP_ISO8601})"
negate => true
what => "previous"
}
if "_grokparsefailure" in [tags] {
drop { }
}
if [host] == "host1" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE} %{LOGLEVEL:Severity} %{GREEDYDATA:log_message}"}
}
grok {
match => ["requested_incident", "(?s)<incident>.+?</incident>"]
}
}
}
Any help/suggestion is more than welcome! 