CloudWatch trouble parsing @message for a string with wildcards.
If there is actual documentation on this, my apologies as I've hunted several hours for the solution. As an Oracle DBA, I need to monitor certain log files for certain strings. For the listener log, one type of message contains "service_update * <db_name> * STATUS * [0 or non-zero]." I can parse everything up to the asterisk but even with double-quote delimiters, I cannot figure out how to include the end of that string. Specifically, I need to alert whenever a non-zero status is thrown.
Similarly, for the alert log I need to flag messages containing "ORA-" error messages except for 'ORA-1". Thanks in advance for your aid.
.
Hello, thanks for reaching out!
While I'm not totally familiar with the full format of Oracle logs, hopefully these examples can help out here. Also, I wasn't fully clear on if you're attempting to parse these logs using Logs Insights or for setting up a Metric Filter on a log group for alerting, so I'll provide examples for both.
For testing, I used the following made-up sample logs messages based on the snippet you provided. The samples ahead assume that the logs are space delimited:
2022-04-13 00:00:28 service_update DB_1 STATUS * 0
2022-04-13 00:00:29 service_update DB_1 STATUS * 1
2022-04-13 00:00:30 service_update DB_1 STATUS * 1
2022-04-13 00:00:31 service_update DB_1 STATUS * 1
2022-04-13 00:00:32 service_update DB_1 STATUS * 1
2022-04-13 00:00:33 service_update DB_1 STATUS * 0
2022-04-13 00:00:34 service_update DB_1 STATUS * 1
2022-04-13 00:00:35 service_update DB_1 STATUS * 1
2022-04-13 00:00:36 service_update DB_1 STATUS * 0
2022-04-13 00:00:37 service_update DB_1 STATUS * 1
2022-04-13 00:00:38 service_update DB_1 STATUS * 1
2022-04-13 00:00:39 service_update DB_1 STATUS * 0
2022-04-13 00:00:40 service_update DB_1 STATUS * 1
In Logs Insights, the following query would return only log messages where the status is not equal to 0 by parsing the string to seven unique fields:
fields @timestamp
| parse @message "* * * * * * *" as date, time, action, db, type, asterisk, status
| filter status!=0
| sort time desc
Similarly, if you wanted to create a metric filter on the log group to generate a metric for non-zero status in order to create an alarm, the following metric filter pattern successfully parses and filters for status!=0:
[date, time, action, db, type, asterisk, status!=0]
On the same note, for your alert logs (again assuming space delimiting), given the sample logs:
2022-04-13 00:00:28 service_update DB_1 STATUS ORA-1 0
2022-04-13 00:00:29 service_update DB_1 STATUS ORA-2 1
2022-04-13 00:00:30 service_update DB_1 STATUS ORA-3 1
2022-04-13 00:00:31 service_update DB_1 STATUS ORA-8 1
You can generate a metric filter pattern to monitor and filter only for logs that contain "ORA-*" except for "ORA-1":
[date, time, action, db, type, error!=ORA-1, status]
Hope this helps, let me know if my assumptions were incorrect!
Relevant questions
DMS CDC with Oracle - "Cannot retrieve Oracle archived Redo log destination ids"
Accepted Answerasked 2 years agoSupport for RDS Oracle as source while using DMS SCN for CDC
Accepted Answerasked 4 years agoWhat is the syntax for wildcards in the callback url?
asked 5 years agoHIVE_BAD_DATA: Error parsing field value '2021-10-31 22:00:00.0' for field 3: For input string: "2021-10-31 22:00:00.0"
Accepted Answerasked 3 months agoCloudWatch trouble parsing @message for a string with wildcards.
asked 3 months agoNumber messageAttribute delivered as String in Lambda subscriber to SNS Topic
Accepted Answerasked 2 months agoLooking for guidance/documentation to migration Oracle Fusion Middleware applications from Oracle Cloud to AWS
asked 5 months agoAWS RDS & Cloudwatch Free Tier Charges
asked 3 months agoIs it possible to use IAM and Secure Token Service as the authentication solution for an application?
asked 4 months agoIs there an ip-block for whitelisting?
asked a year ago