- Newest
- Most votes
- Most comments
Hello, thanks for reaching out!
While I'm not totally familiar with the full format of Oracle logs, hopefully these examples can help out here. Also, I wasn't fully clear on if you're attempting to parse these logs using Logs Insights or for setting up a Metric Filter on a log group for alerting, so I'll provide examples for both.
For testing, I used the following made-up sample logs messages based on the snippet you provided. The samples ahead assume that the logs are space delimited:
2022-04-13 00:00:28 service_update DB_1 STATUS * 0
2022-04-13 00:00:29 service_update DB_1 STATUS * 1
2022-04-13 00:00:30 service_update DB_1 STATUS * 1
2022-04-13 00:00:31 service_update DB_1 STATUS * 1
2022-04-13 00:00:32 service_update DB_1 STATUS * 1
2022-04-13 00:00:33 service_update DB_1 STATUS * 0
2022-04-13 00:00:34 service_update DB_1 STATUS * 1
2022-04-13 00:00:35 service_update DB_1 STATUS * 1
2022-04-13 00:00:36 service_update DB_1 STATUS * 0
2022-04-13 00:00:37 service_update DB_1 STATUS * 1
2022-04-13 00:00:38 service_update DB_1 STATUS * 1
2022-04-13 00:00:39 service_update DB_1 STATUS * 0
2022-04-13 00:00:40 service_update DB_1 STATUS * 1
In Logs Insights, the following query would return only log messages where the status is not equal to 0 by parsing the string to seven unique fields:
fields @timestamp
| parse @message "* * * * * * *" as date, time, action, db, type, asterisk, status
| filter status!=0
| sort time desc
Similarly, if you wanted to create a metric filter on the log group to generate a metric for non-zero status in order to create an alarm, the following metric filter pattern successfully parses and filters for status!=0:
[date, time, action, db, type, asterisk, status!=0]
On the same note, for your alert logs (again assuming space delimiting), given the sample logs:
2022-04-13 00:00:28 service_update DB_1 STATUS ORA-1 0
2022-04-13 00:00:29 service_update DB_1 STATUS ORA-2 1
2022-04-13 00:00:30 service_update DB_1 STATUS ORA-3 1
2022-04-13 00:00:31 service_update DB_1 STATUS ORA-8 1
You can generate a metric filter pattern to monitor and filter only for logs that contain "ORA-*" except for "ORA-1":
[date, time, action, db, type, error!=ORA-1, status]
Hope this helps, let me know if my assumptions were incorrect!
Relevant content
- asked 2 years ago
- Accepted Answer
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 months ago
tyvm, this was on hold for a while and I am just now resuming work. A pleasure to come across your input. By any chance have you come across these two refinements? Is there support for regular expressions, and secondly is there a preferred method for timestamp comparisons? In the first query, ORA- error messages to ignore are the set of ORA-0, ORA-00000, ORA-1, or ORA-00001. In SQLPlus syntax I would simply query for the four strings using an IN clause.
Traditionally I would query for something like @timestamp > sysdate - 30 to search the most recent half-hour. TIA if either of these piques your interest.