Hey there guys!
I have a field with the following value:
parsed_alert_txt => "ORA-06000: at "SYS.DBMS_QOPATCH", line 777"
But this conditional doesn't seem to work, and I don't know why:
if [parsed_alert_txt] =~ /ORA-/ {
mutate { add_tag => ["passed"] }
}
but it never tags the event, so I assume the regex conditional is not working. Can anyone help me?
Thanks!
Two suggestions...
I've had issues at times using [field] =~ value/regex, so try flipping it to "ORA-" in [parsed_alert_txt]
Second, define the regex just a little more clearly as ^ORA-.*. What you have I imagine should work but this is an alternative to try.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.