Regex in mutate filter

Elastic Stack Logstash
1

Hi,

I need some help with regex in mutate
Part of log in message field : "LogError":"30180" - Please note number can vary .

in normal regex we can do grouping "LogError":"([0-9][0-9]*)" and then get the matched regex using \1

But in kibana i am trying the below code but not sure how can i add the matched regex in errorcode field .Please note it is just a part of code there are multiple else if condition

if [message] =~ /."LogError":"[0-9][0-9]+".*/
{
mutate
{ add_field =>

{ "error_code" => "??" }
} }

2

Hi,

Mutate filter is not meant to extract data with regex. You should take a look instead at these filters:

4

Thanks for the reply.......my concern is i have written a generic grok filter ....
which should always be applied and apart from that i need to search for some error based on matched regex.
So can i have something similar

grok {
match => { "message" => "%{SPACE}%{DATESTAMP:time}%{SPACE}(%{WORD:factoryname})(%{NUMBER:consumer})%{GREEDYDATA:remainingmessage}(`)?" }
overwrite => "message"
}
if [message] =~ /.errors":[{"logerror":"[1-9][0-9]+".*/ {
grok {
match => { "message" =>"(?errors":[{"logerror":"[1-9][0-9]+")" } }
}
else if ...

5

Can you add real log lines, at least one with "LogError" and one without it?
The grok patterns you added make it easier to troubleshoot your issue :slight_smile:
If you go one step further and add log lines (and expected output if it's not trivial) will help to find the solution.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.