i'm tryning that parse logs from a tomcat server which write javastacktrace after error like :
"[ERROR - 18:02:00.028, org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler-95] Unexpected error occurred in scheduled task.
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [[query]]; nested exception is java.sql.SQLSyntaxErrorException: ORA-00942: Table ou vue inexistante
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:231) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:73) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:660) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
..."
i want to split the javastack trace and the error message into 2 different field that is my curents conf file :
logstash conf file :
input{
redis{
host => ["***.***.***.***"]
port => 6379
key => mercure_log_queu
data_type => list
}
}
filter{
grok{
patterns_dir => ["/etc/logstash/patterns/extra_patters"]
match => {"message" => "%{mercure}"}
}
}
output{
elasticsearch{
hosts => ["***.***.***.***:9200"]
manage_template => false
}
file{
path => "/var/log/logstash/mercure_logs"
}
}
%{mercure} pattern :
mercure [%{LOGLEVEL:loglevel}%{SPACE}%{NOTSPACE}%{SPACE}%{TIME:time}, %{NOTSPACE:java_class} ((%{JAVALOGMESSAGE:logmessage}\n%{JAVASTACKTRACEPART}*)|%{JAVALOGMESSAGE:logmessage})
filebeat prospector :
-
input_type: log
paths:
- /var/log/tomcat7/8090/jja-app/commande/jja-dds-injector-full.log
- /var/log/tomcat7/8090/jja-app/commande/jja-dds-injector-errors.log
document_type: mercure
multiline.pattern: ^[
multiline.negate: true
multiline.match: after
result :
in Kibana i could seen the logmessage field = error+javastacktrace - last line of java stack trace :
(logmessage =" Unexpected error occurred in scheduled task.
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [[query]]; nested exception is java.sql.SQLSyntaxErrorException: ORA-00942: Table ou vue inexistante
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:231) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:73) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:660) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727) ~[spring-jdbc-4.1.5.RELEASE.jar:4.1.5.RELEASE] ")
when i try that pattern in grok test pattern the parser work so i dont understand what happend bad
could you enlighten me pleas 
PING