search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
100 stars 4.92k forks source link

Filebeat Oracle module ingest pipeline error #36381

Open slaznik opened 1 year ago

slaznik commented 1 year ago

Hello,

After trying to transform message using ingest pipeline that is supplied with Filebeat Oracle module I got the following error : field [audit] does not contain value_split [:\\S\\d+\\S(?= ')]

After further inspection I noticed that audited query: \nACTION :[128] '\nselect thread#, status, enabled, instance, groups, current_group#, sequence#, checkpoint_change# from v$thread\norder by thread#' contains \n character which means that query is recognized as a key-value pair based on field_split regex \\n(?=[a-zA-Z]). When KV processor tries to perform value split on produced key-value pair with regex :\S\d+\S(?= ') it fails.

To resolve this issue I changed the field_split regex to \\n(?=[a-zA-Z\s]+\s?:).

botelastic[bot] commented 1 year ago

This issue doesn't have a Team:<team> label.

botelastic[bot] commented 2 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!