Include message with string not working??

Comments

2 comments

  • Avatar
    Kevin Keech

    Hi Michael,

    For the include/exclude filters the regular expression you supply needs to match the entire log message. Usually you can match this by just adding a .* to the beginning and end of the expression to match the rest of the line content. However, if you have muti-line message you may need to add an additional flag to the expression to tell it to also match on newlines. 

    Give this expression a try, hopefully this will address the issue. 

    (?s).*(error|exception|fail).*(?s)

    Note the rule may take up to 10 minutes to apply and will only apply to new messages. You should also be sure you do not have any time parsing issues when validating the rule is being applied as a time parsing issue may show messages for the current given timerange, which were actually delivered and processed before the rule was applied. Running your query using the "Use Receipt Time" box should show if things are working or not working.


    More help on the format for include/exclude filters can be found in the following help docs. 

    https://help.sumologic.com/Manage/Collection/Processing-Rules/Include-and-Exclude-Rules

  • Avatar
    Michael Perez

    Thanks Kevin! working great now.

Please sign in to leave a comment.