Agrupar errores por patrón con CATEGORIZE
CATEGORIZE agrupa automáticamente los mensajes similares en patrones — miles de líneas de errores se resumen en un puñado de familias, sin escribir ningún regex.
Requisitos
Elasticsearch 8.18+ (preview technique)
SQL
FROM "logs-app-*"
| WHERE log.level == "error"
AND @timestamp >= NOW() - 24 hours
| STATS
occurrences = COUNT(*),
services = COUNT_DISTINCT(service.name),
derniere = MAX(@timestamp)
BY motif = CATEGORIZE(message)
| SORT occurrences DESC
| LIMIT 10Resultado
motif | occurrences | services | derniere -----------------------------------------+-------------+----------+------------------------- .*?Connection.+?refused.+?port.*? | 12 480 | 6 | 2026-06-10T15:59:41.002Z .*?Timeout.+?waiting.+?response.*? | 8 102 | 4 | 2026-06-10T15:58:07.566Z .*?OutOfMemoryError.+?heap.*? | 1 940 | 2 | 2026-06-10T14:21:33.910Z .*?Failed.+?authenticate.+?user.*? | 1 277 | 3 | 2026-06-10T15:55:12.044Z .*?Disk.+?quota.+?exceeded.*? | 310 | 1 | 2026-06-10T11:02:58.371Z
CATEGORIZEPattern miningLogsTriage