could I get some advice as to how I can efficiently fingerprint stack traces using Logstash?
I am aware of the fingerprint filter, but it's not quite enough. I also want to ignore everything in the message that is before the stack trace, since the error message may contain data that changes. For example: if the stack trace is triggered by a primary key violation and the key values are logged, then the hash of the message would differ, but I want to consider the error still the same.
What it basically comes down to is a rule that says "ignore everything before the first line matching a prefix", with that prefix being akin to "\tat" - it may vary a bit by application, but we can manage that on a per-application basis.
Is there a way to do that efficiently in Logstash without a custom plugin?
In the long run we may need to filter out any line numbers present. We are trying to report on error trends across multiple releases, if the line numbers in a stack trace are present, then even adding a line in front of any involved code would change the fingerprint, which means we will have to collate additional fingerprints.
This second one is not much of an issue at the moment, the first application we are targeting is a .NET application that doesn't actually write line numbers. But we are looking at some Java applications that do log line numbers as well, which may require that second normalization.
Again: is there a way to do that efficiently without custom plugin?