Catch java stack trace


(Emil Eldar Rustamov) #1

Dear all,

I need multiline pattern which can catch such kind of java stack trace:

17-05-2017 15:39:54  [ERROR]  {OCMLoging.java:65} [CRFERID:1:1ffadc7857d413dd78ed080e5367e267-938040128]  - [ca.server.FuncWrap0:4792] Replace_Msisdn_Sim: , customer: 117308, java.sql.SQLException: ORA-02055: distributed update operation failed; rollback required
ORA-01403: no data found
ORA-06512: at "OCMUSER.POSTPAID_RESALE_PROCESS", line 86
ORA-06512: at "SUBSCRIPTION.DEALER_ACTIVATE_REPLACE", line 78
ORA-06512: at line 1

java.sql.SQLException: ORA-02055: distributed update operation failed; rollback required
ORA-01403: no data found
ORA-06512: at "OCMUSER.POSTPAID_RESALE_PROCESS", line 86
ORA-06512: at "SUBSCRIPTION.DEALER_ACTIVATE_REPLACE", line 78
ORA-06512: at line 1

	at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
	at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
	at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
	at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:743)
	at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:216)
	at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:955)
	at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1168)
	at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3285)
	at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3368)
	at net.sf.log4jdbc.PreparedStatementSpy.executeUpdate(PreparedStatementSpy.java:721)
	at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:105)
	at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:105)
	at ca.server.FuncWrap0.Replace_Msisdn_Sim(FuncWrap0.java:4792)
	at ca.server.Rkv.service(Rkv.java:506)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

Quick response will be greatly appreciated.


(Steffen Siering) #2

please properly format you logs/configs using the </> button. For multiline patterns it's helpful to see the structure, as you want to match on structure, not content.

Not knowing if there is any whitespacing involved, I'd recommend to filter on the date '^\d{2}-\d{2}-\d{4}' with negate set to true.


(Emil Eldar Rustamov) #3

Steffen, thank you for response. Will your pattern meet stack trace provided by me? How you suggest format my logs and configs? Are there any best practice templates?


(Emil Eldar Rustamov) #4

Dears,

Can anyone help me?

It is urgent case


(Steffen Siering) #5

Will your pattern meet stack trace provided by me?

I'd say so, but then you just provided one sample. As I said, seeing structure is helpful. This also includes other events before/after the multiline event + potentially other multiline events. Just to be sure no duplicates are created.

Your use-case seems to match the timestamp use-case in filebeat docs.

If stack-traces are fully indented by spaces, you can also use this configuration.

How you suggest format my logs and configs

Just select the content to be formatted in the editor and click on the </> format button at the top bar of the editor.

You can test your multiline configuration with sample logs either using the filebeat-multiline-tester by hartfordfive or the web based Go Playground.


(Emil Eldar Rustamov) #6

It is pity, but it doesn't meet above-mentioned stack trace. :frowning:

Ok, i'll investigate other possibilities.

Thank you anyway, Steffen


(Emil Eldar Rustamov) #7

This pattern also doesn't work as expected:

'^[[0-9]{4}-[0-9]{2}-[0-9]{2}'


(Steffen Siering) #8

why you think it doesn't match? Have you configured filebeat correctly? Have you tried with the go playground (works perfectly for me)?


(Emil Eldar Rustamov) #9

Here is my filebeat.yml:

###################### Filebeat Configuration Example 
 
# You can find the full configuration reference here:# https://www.elastic.co/guide/en/beats/filebeat/index.html
 
#=========================== Filebeat prospectors  
filebeat.prospectors:
 
#======OCM=log==========================
 
- input_type: log
  paths:
 
  - "/home/tomcat/ocm_tomcat_7.0.70/OCMlogs/OCMLog/*"
 
  document_type: OCM_logs

  fields:
    host: container02_lb
    application: OCM
  fields_under_root: true
 
  tags: ["container02_lb","OCM"]
 
#======OCM=log==========================

#======OCMErrorLog=logs==========================
 
- input_type: log
  paths:
 
  - "/home/tomcat/ocm_tomcat_7.0.70/OCMlogs/OCMErrorLog/*"
 
  document_type: OCMErrorLog_logs

  fields:
    host: container02_lb
    application: OCM
  fields_under_root: true
 
  tags: ["container02_lb","OCMErrorLog"]
 
#======OCMErrorLog=logs==========================
 
  # Exclude lines. A list of regular expressions to match. It drops the lines that are matching any regular expression from the list.
  #exclude_lines: ["^DBG"]
 
  # Include lines. A list of regular expressions to match. It exports the lines that are matching any regular expression from the list.
  #include_lines: ["^ERR", "^WARN"]
 
  # Exclude files. A list of regular expressions to match. Filebeat drops the files that are matching any regular expression from the list. By default, no files are dropped.
  exclude_files: ['\.gz$','\.bz2$']
 
  ### Multiline options
 
  multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
 
  multiline.negate: true
 
  multiline.match: after

  multiline.max_lines: 500 
#================================ General 
 
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: 'container02_lb_shipper'
 
# The tags of the shipper are included in their own field with each transaction published.
tags: ["container02_lb_shipper", "container02_lb_logs"]
 
#================================ Outputs =====================================
 
# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
 
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  enabled: true
  hosts: ["127.0.0.1:9200"]
  #template:
  #  name: "filebeat"
  #  path: "filebeat.template.json"
  #  overwrite: false
  manage_template: true
  index: "logs-%{+YYYY.MM.dd}"
  timeout: 30
  close_inactive: 2m
  clean_inactive: 15m
  bulk_max_size: 100
  flush_interval: 1
  scan_frequency: 5  
  max_retries: 10
  codec: json

What is wrong in my config, Steffen?


(Steffen Siering) #10

assuming spacing is correct, why do you use this regex: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}' ? The regex can not match this data: 17-05-2017. You have to use '^\d{2}-\d{2}-\d{4}'.

Have you even tried with the go playground or filebeat-multiline-tester? These tools allow you to test/iterate multiple multiline/regex strategies.


(Emil Eldar Rustamov) #11

Dear Steffen,

Thanks a lot for help.

1.Where can i read about logs mask options?

2.Which environment should me install to use this GO source code?

Thank you in advance


(Steffen Siering) #12

1.Where can i read about logs mask options?

What you mean by "logs mask" options?

2.Which environment should me install to use this GO source code?

The go playground is fully web-based. No need to install anything. For compiling the filebeat-multiline-tester you will need to install and configure a go environment and install the tool via go install github.com/hartfordfive/filebeat-multiline-tester.


(Emil Eldar Rustamov) #13

Thanks a lot.

Under log mask i mean such masks to catch different kinds of logs:

'^[[0-9]{4}-[0-9]{2}-[0-9]{2}'

'^\d{2}-\d{2}-\d{4}'

Can i use several log masks in one config file?


(Steffen Siering) #14

The regular expression pretty much depends on the log file format itself. Some common use-cases are documented here: https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html

In general, when doing multiline, you want to capture some structure in your regex, not necessarily actual content.

You can combine multiple regular expressions using the or operator like (re1)|(re2) or have a multiline configuration per prospector. The regex syntax is documented here: https://www.elastic.co/guide/en/beats/filebeat/current/regexp-support.html


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.