String with spaces not is not searchable in logstash

NARHAR_DEV_SHARMA · October 7, 2020, 7:22am

Hi Team,

Greeting for the day!

I am trying to search a pattern that contain spaces and its not working.
However, if i put something without space that's working absolutely fine; i am able to send mail to required address after string found in log file.

Below are the lines from my logstash.conf (using ruby filter in my logstash config file).

else if [@message] =~ "org.postgresql.util.PSQLException: The connection attempt failed" {
mutate {
add_field => ["@class", "DB Exception"]
add_field => ["@toaddr", "abc@xyz.com"]
}
}

Please assist, any help on this is appreciated.

Thanks and Regards,
Narhar Dev Sharma

grumo35 · October 7, 2020, 9:41am

What exactly is your problem ?

You're trying to match a log with the =~ operator i'll suggest you to try to parse it using grok filters and creating fields.

You could also split the field using ":" and try to clear out the log message you want eg: "The connection attempt failed" and understand where it came from with fields.

NARHAR_DEV_SHARMA · October 8, 2020, 8:11am

Hi Grumo,

Thanks for replying,

Problem statement String is searchable when it has no spaces, but vise-versa is not working.
i have created filed already while using Ruby filter. Did not understood what you mentioned by "creating fields".

Below is the full code, if that helps to understand more on this.
filter {
ruby {
code => 'event.cancel if event.get("message") == "\u0000"'
}

mutate {
  remove_field => [ "host" ]
}

if [type] != '' {
    mutate {
        rename => [ "type", "@type" ]
    }
}

if [message] != '' {
    mutate {
        rename => [ "message", "@message" ]
    }
} else if [message] == '' and [@message] !~ /^.+$/ {
    drop { }
}

if [@message] =~'ERROR' {
mutate {
add_field => ["@alert", "true" ]
add_field => ["@flag", "{ES_Alert_Flag}"] add_field => ["@cf_env", "{ES_CF_ENV}" ]

		}
if [@message] =~'java.sql.SQLException' or [@message] =~'org.postgresql.util.PSQLException' {
	mutate {
add_field => ["@class", "Database Exception"]
	}
}
else if [@message] =~'java.lang.OutOfMemoryError'{
	mutate {
add_field => ["@class", "Out Of Memory Exception"]
add_field => ["@toaddr", "abc@xyz.com"]
 	}
}
else if [@message] =~'org.postgresql.util.PSQLException: The connection attempt failed' {
	mutate {
add_field => ["@class", "DB Exception"]
add_field => ["@toaddr", "abc@xyz.com"]
	}
}

The code for Java out of memory exception is working and doing the intended work. However, DB exception alert (since it has spaces) is not working.

grumo35 · October 8, 2020, 8:32am

Hello,

Ok so we know that you cant match srings with space so why just use

else if  'org.postgresql.util.PSQLException' in [@message]

instead of :

Tell me if it fits your use case

NARHAR_DEV_SHARMA · October 9, 2020, 4:51am

my requirement is full string only... as there are dozens of the strings that contain only "org.postgresql.util.PSQLException".

system · November 6, 2020, 4:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.