0

I have a couple of questions :

  1. I tried to use a custom tag like mentioned in https://discuss.elastic.co/t/logstash-configuration-with-custom-patterns/141352 but could not get much help.

  2. I want to match for multiple patterns like one for normal log and one for exception log.

    ^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level}\s*%{JAVACLASS:class}\.%{WORD:method}\s-\s%{GREEDYDATA:log}$

  3. We also have java patterns that are inbuilt but i was unable to find them by search, so are they compiled and stored ? I wanted to add my patterns in the same file so that i don't get any issues.

Is there another way to get this done apart from writing in the patterns folder?

Improve this question
6
  • I configure java log parsing (and exception tagging) directly in logstash's config. Take a look at a blog post with example for Spring Boot and see if it helps: knes1.github.io/blog/2015/… Commented Jul 25, 2018 at 6:22
  • Thanks for the reply. I want to use (^.+Exception: .+)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+) pattern so that i can have new fields like Exception and causedBy so that i can later do a group by kinda thing. So can i put this pattern somewhere inline ? Please help. Commented Jul 25, 2018 at 7:13
  • It is possible to give multiple patterns to grok. It seems the syntax has changed since that blog post and new one is grok { match => { "message" => [ ... ] }} (e.g. you can supply a list of patterns inline). I'd try putting your exception pattern on before your regular pattern in the pattern list. Commented Jul 25, 2018 at 7:52
  • Apart from that as i said i want to split it up if possible please post the grok pattern Commented Jul 25, 2018 at 9:59
  • @Raghuveer, Did you get any solution for this? Commented Oct 25, 2018 at 6:45

1 Answer 1

Reset to default
1

I'm working with Elastic Stack 7.6.2.

Concatenate stack trace lines into one log entry

I'm sending logs to Logstash through Filebeat. I have to configure Filebeat so it treats the whole stack trace as one entry. I'm using multiline as described in Examples of multiline configuration:

#filebeat.yml
filebeat:
  inputs:
    - type: log
      …
      multiline:
        pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
        match: after
output:
  logstash:
    hosts: ["logstash:5044"]

Handle two types of log entries

In my logstash.conf file I have a filter matching against:

  • a regular Spring Boot log entry (not covered here) e.g.:
    2020-05-12 08:31:26.530  INFO 10197 --- [SpringContextShutdownHook] o.s.s.c.ThreadPoolTaskExecutor           : Shutting down ExecutorService 'applicationTaskExecutor'
  • a Java exception e.g.:
    java.lang.IllegalArgumentException: Exception message
        at in.keepgrowing.springbootlog4j2scaffolding.SpringBootLog4j2ScaffoldingApplication.main(SpringBootLog4j2ScaffoldingApplication.java:14) [classes/:?]
        at com.example.myproject.Author.getBookIds(Author.java:38)
        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
    Caused by: java.lang.NullPointerException
        at com.example.myproject.Book.getId(Book.java:22)
        at com.example.myproject.Author.getBookIds(Author.java:35)
        ... 1 more

Because I haven't listed multiple patterns in one match, every entry is being checked against both matches (I think the break_on_match is not working in this case). As a result the _grokparsefailure tag is added to all entries. To remove this tag I have to know that a particular entry was successfuly matched by one pattern - the stacktrace or spring_boot_log tag will be present in such a case. Therefore I can safely delete the _grokparsefailure tag for entries that have my tag:

# logstash.conf
…
filter {
    grok {
        match => { "message" => "%{JAVACLASS:exception}:\s%{GREEDYDATA:stacktrace}" }
        add_tag => [ "stacktrace" ]
        }
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp}…" }
        add_tag => [ "spring_boot_log" ]
        }
    if "stacktrace" in [tags] or "spring_boot_log" in [tags] {
            mutate {
                remove_tag => ["_grokparsefailure"]
                }
    }
}
…

Below you can see the screenshot from my ElasticHQ showing how an example stack trace was parsed. There are two parts: exception and stacktrace, and my custom tag in the tags array: enter image description here

Useful links:

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.