Hi Team,
I have a logfile in which I have few keywords such as ORA-1 , ORA-212, ORA-609 and similarly we have more than 100 information related to ORA- value with it.
So during the search we want to exclude the below mentioned ORA details
ORA-609
ORA-3136
ORA-12008
ORA-0
And the other ORA- stuffs needs to be displayed while searching the logs so that we can create Alerting and schedule the same.
i.e. If other than ( ORA-609 , ORA-3136, ORA-12008, ORA-0) and the remaining ORA- should be displayed as events so I can able to create the alerting for the same.
index=abc
sourcetype=def
host=xxx
So kindly help with the query.
@anandhalagaras1, can you try below?
index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
Thank you for your response.
With this query I can able to filter out ORA-609, ORA-3136, ORA-12008, ORA-0 from the logs which is fine. But in the same query I want to see only the logs which contains ORA-* in the event since there are other type of events as well present in the log.
For better understanding , I want to see all the ORA-* logs when i search excluding the ORA-609, ORA-3136, ORA-12008, ORA-0
So kindly help with the query.
| regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*"
| regex _raw="ORA\-.*"
Thank you for your swift response.
But still I can see few of the ORA-* is not captured when I use the query.
For example:
index=abc host="xyz" | regex _raw!="(ORA\-609|ORA\-3136|ORA\-12008|ORA\-0).*" | regex _raw="ORA\-.*"
I can see there are events related for ORA-00020 on today as well as yesterday but when i ran the query it is not showing up this ORA-00020 eventhough it is not in the exclusion list. Similarly we have like this more ORA- things which is not showing up.
So kindly help.
@anandhalagaras1, can you try below?
index=abc host=xyz ORA-* NOT ORA-609 NOT ORA-3136 NOT ORA-12008 NOT ORA-0
This is because you haven't been specific enough or given examples of logs from which to work from!
What follows these codes? Is it always a space or a colon or a closing bracket or a non-digit? Basically, the regex needs something to indicate that the code is complete.