Regex conditional not working

Miguel_Leite · November 16, 2018, 3:13pm

Hey there guys!

I have a field with the following value:

parsed_alert_txt => "ORA-06000: at "SYS.DBMS_QOPATCH", line 777"

But this conditional doesn't seem to work, and I don't know why:

if [parsed_alert_txt] =~ /ORA-/ {
             mutate { add_tag => ["passed"] }
}

but it never tags the event, so I assume the regex conditional is not working. Can anyone help me?
Thanks!

wwalker · November 16, 2018, 7:30pm

Two suggestions...

I've had issues at times using [field] =~ value/regex, so try flipping it to "ORA-" in [parsed_alert_txt]

Second, define the regex just a little more clearly as ^ORA-.*. What you have I imagine should work but this is an alternative to try.

system · December 14, 2018, 7:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash if condition regex not working Logstash	11	1136	August 29, 2022
Regexp in conditional Logstash	10	4426	September 6, 2019
If condition regex error Logstash	2	356	February 10, 2021
IF conditional not dropping field Logstash	2	519	February 19, 2018
Conditional with regex failing Logstash	6	483	June 9, 2021