I'm collecting Windows Applications Event Logs, all of them are multiline and can have a variety of formats.
My message field which I would like to match has such format:
[Message:
An error occurred while trying to check the health of engines. The following exception was thrown: Culture specific message: Error while connecting to database
Application.Local.ExceptionManagement.LocalConnectionException: Error while connecting to database ---> Oracle.ManagedDataAccess.Client.OracleException: Connection request timed out
at OracleInternal.ConnectionPool.PoolManager`3.Get(ConnectionString csWithDiffOrNewPwd, Boolean bGetForApp, CriteriaCtx criteriaCtx, String affinityInstanceName, Boolean bForceMatch)
at OracleInternal.ConnectionPool.OraclePoolManager.Get(ConnectionString csWithNewPassword, Boolean bGetForApp, CriteriaCtx criteriaCtx, String affinityInstanceName, Boolean bForceMatch)
at OracleInternal.ConnectionPool.OracleConnectionDispenser`3.Get(ConnectionString cs, PM conPM, ConnectionString pmCS, SecureString securedPassword, SecureString securedProxyPassword, CriteriaCtx criteriaCtx)
at Oracle.ManagedDataAccess.Client.OracleConnection.Open()
at Application.ApplicationBlocks.Data.GenericConnection.Open()
at Application.Local.Dal.clsTable.PrepareConnection()
--- End of inner exception stack trace ---
at Application.Local.Dal.clsTable.PrepareConnection()
at Application.Local.BusinessLayer.DxUnitOfWork.BeginTransaction()
at Application.Local.BusinessLayer.DxUnitOfWork.New()
at Application.Local.Engine.LifeCheckService.PerformLifeCheck()
at Application.Local.Engine.LifeCheckService.LifeCheckPolling(CancellationToken cancellationToken)
]Thread ID: [25]
I need to parse an oracle exception (if it occurs) by matching the OracleException string and save an exeption message witch is in current exemple Connection request timed into a separate field.
I'm trying to get an exeption message by using such pattern without luck:
grok {
match => [ "message", "(?:OracleException:%{SPACE}%{GREEDYDATA:oracle_exception})?" ]
}