Regex conditional not working

Miguel_Leite · November 16, 2018, 3:13pm

Hey there guys!

I have a field with the following value:

parsed_alert_txt => "ORA-06000: at "SYS.DBMS_QOPATCH", line 777"

But this conditional doesn't seem to work, and I don't know why:

if [parsed_alert_txt] =~ /ORA-/ {
             mutate { add_tag => ["passed"] }
}

but it never tags the event, so I assume the regex conditional is not working. Can anyone help me?
Thanks!

wwalker · November 16, 2018, 7:30pm

Two suggestions...

I've had issues at times using [field] =~ value/regex, so try flipping it to "ORA-" in [parsed_alert_txt]

Second, define the regex just a little more clearly as ^ORA-.*. What you have I imagine should work but this is an alternative to try.

system · December 14, 2018, 7:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash if condition regex not working Logstash	11	1161	August 29, 2022
Regex in conditionals Logstash	3	3829	March 31, 2017
Regexp in conditional Logstash	10	4455	September 6, 2019
If condition regex error Logstash	2	358	February 10, 2021
Weird behavior with regexp conditionals Logstash	2	1291	July 6, 2017