Hello,
I am pretty close with extracting the ORA error out of the message field. However the field created has the dash ORA-. I want to name the field something else. For example ORA_err.
Grok snippet:
grok {
match => [ "message", "(?ORA-[0-9]*)" ]
}
How would I go about doing this?
Thanks,
Frank
I figured this out.
Solution: removed the dash.
grok {
match => [ "message", "(?ORA-[0-9]*)" ]
}
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.