Search code examples
logstashlogstash-grok

Get starting 10 characters from matched string in a field using logstash?

I want to get the first 10 characters from a string that ends with Exception. Example: I have field like this:

 "ERRORMESSAGE" => "local exporter [default_local] - failed to delete indice
s\r\nRemoteTransportException[[data-2][10.0.x.x:x300][indices:admin/delete]];
 nested: IndexNotFoundException[no such index];\r\nCaused by: [.marvel-es-1-2017
.06.07] IndexNotFoundException[no such index]\r\n        at org.elasticsearch.cl
uster.metadata.MetaDataDeleteIndexService$1.execute(MetaDataDeleteIndexService.j
ava:91)\r\n        at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(C
lusterStateUpdateTask.java:45)\r\n        at org.elasticsearch.cluster.service.I
nternalClusterService.runTasksForExecutor(InternalClusterService.java:468)\r\n
  at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run
(InternalClusterService.java:772)\r\n        at org.elasticsearch.common.util.co
ncurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndCl
ean(PrioritizedEsThreadPoolExecutor.java:231)\r\n        at org.elasticsearch.co
mmon.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunna
ble.run(PrioritizedEsThreadPoolExecutor.java:194)\r\n        at java.util.concur
rent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\r\n        at ja
va.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\r\
n        at java.lang.Thread.run(Thread.java:745)\r",

Where i need to catch the string that ends with Exception. For that i had used this 

grok {
  match => ["ERRORMESSAGE", "(?<ExceptionType>{10}.Exception)"]
}

Where i am finding the first 10 characters of a string that ends with Exception but i am getting this error {:exception=>"RegexpError" . And also other problem is if there are more strings that ends with Exception in ERRORTYPE field then whether above grok produces two or more ExceptionType fields ?

Thanks

Solution

  • The correct regex is (?<ExceptionType>.{10}Exception). The quantifier ({10}) has to be before the token it quantify (.) (at least it's how I understand it, I'm not a regex expert).

    The grok filter will return with the first match. In your example, it will be eTransportException.