Need help with grok pattern for logstash config file for Oracle Alert log

Gaurav_Batta · May 12, 2020, 8:02pm

Please help with grok pattern for following Oracle Database Alert.log message below to trap ORA- errors and its timestamp using logstash.

Oracle Database alert log has following error log messages:

ORA-12222: Test error
2020-05-11T19:29:15.734411+00:00
:SS', 'NLS_CALENDAR=GREGORIAN'))
ORA-28365: wallet is not open
2020-05-12T14:57:06.103705+00:00
ORA-00313: open failed for members of log group 1 of thread 1
2020-04-10T19:34:36.315579+00:00````

Badger · May 12, 2020, 11:23pm

How are you ingesting events? Are you using a multiline configuration (either in filebeat or in the codec of a file input)?

Gaurav_Batta · May 13, 2020, 2:42am

Hi,
I am using multiline configuration in the file input.

Badger · May 13, 2020, 3:37pm

OK, if you have an event like

ORA-12222: Test error\n2020-05-11T19:29:15.734411+00:00\n:SS', 'NLS_CALENDAR=GREGORIAN'))

I would start with something like

grok { match => { "message" => "ORA-%{INT:errorCode}: (?<errorMessage>[^\n]+)\n(?<date>[^\n]+)(\n)?" } }

Gaurav_Batta · May 13, 2020, 6:22pm

Thanks Badger!

system · June 10, 2020, 6:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.