Hi,
I need some help with regex in mutate
Part of log in message field : "LogError":"30180" - Please note number can vary .
in normal regex we can do grouping "LogError":"([0-9][0-9]*)" and then get the matched regex using \1
But in kibana i am trying the below code but not sure how can i add the matched regex in errorcode field .Please note it is just a part of code there are multiple else if condition
if [message] =~ /."LogError":"[0-9][0-9]+".*/
{
mutate
{ add_field =>
{ "error_code" => "??" }
} }
Hi,
Mutate filter is not meant to extract data with regex. You should take a look instead at these filters:
Thanks for the reply.......my concern is i have written a generic grok filter ....
which should always be applied and apart from that i need to search for some error based on matched regex.
So can i have something similar
grok {
match => { "message" => "%{SPACE}%{DATESTAMP:time}%{SPACE}(%{WORD:factoryname})(%{NUMBER:consumer})%{GREEDYDATA:remainingmessage}(`)?" }
overwrite => "message"
}
if [message] =~ /.errors":[{"logerror":"[1-9][0-9]+".*/ {
grok {
match => { "message" =>"(?errors":[{"logerror":"[1-9][0-9]+")" } }
}
else if ...
Can you add real log lines, at least one with "LogError" and one without it?
The grok patterns you added make it easier to troubleshoot your issue 
If you go one step further and add log lines (and expected output if it's not trivial) will help to find the solution.