Regex conditional not working

Miguel_Leite · November 16, 2018, 3:13pm

Hey there guys!

I have a field with the following value:

parsed_alert_txt => "ORA-06000: at "SYS.DBMS_QOPATCH", line 777"

But this conditional doesn't seem to work, and I don't know why:

if [parsed_alert_txt] =~ /ORA-/ {
             mutate { add_tag => ["passed"] }
}

but it never tags the event, so I assume the regex conditional is not working. Can anyone help me?
Thanks!

wwalker · November 16, 2018, 7:30pm

Two suggestions...

I've had issues at times using [field] =~ value/regex, so try flipping it to "ORA-" in [parsed_alert_txt]

Second, define the regex just a little more clearly as ^ORA-.*. What you have I imagine should work but this is an alternative to try.

Topic		Replies	Views
Logstash if condition regex not working Logstash	11	1620	August 29, 2022
Regexp in conditional Logstash	10	4830	September 6, 2019
Issues with Logstash Conditionals inside filter Logstash	7	428	May 10, 2019
Regex in conditionals Logstash	3	3873	March 31, 2017
If condition regex error Logstash	2	397	February 10, 2021