I have a log message with this structure:
"message" => "{
"@timestamp":"201856T12:54:33.347+02:00",
"thread":"main",
"logger_name":"org.elasticsearch.bootstrap",
"level":"WARN",
"message":"JNA not found. native methods will be disabled.",
"stack_trace": "java.lang.ClassNotFoundException: ...
}
As you can see, inside the message there is a stack_trace field, but the control
if [message][stack_trace] {
mutate { add_tag => ["EXCEPTION"] }
}
doesn't work
How can I check if "message" contains the "stack_trace" field?
Did you parse message with a json filter or codec?
the message is generated via logstash-logback-encoder, as follow:
<appender name="STASH" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>localhost:5000</destination>
<encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
<providers>
<timestamp>
<timeZone>Europe/Berlin</timeZone>
</timestamp>
<callerData>
<classFieldName>classname</classFieldName>
<methodFieldName>method</methodFieldName>
<fileFieldName>file</fileFieldName>
<lineFieldName>line</lineFieldName>
</callerData>
<threadName>
<fieldName>thread</fieldName>
</threadName>
<loggerName />
<logLevel />
<message />
<stackTrace />
</providers>
</encoder>
This is the content of logstash input pipeline:
input {
tcp {
port => 5000
}
}
filter {
.....
}
output {
.....
}
This is the correct syntax, although if I parse that input with an xml filter the field would end up being called [message][providers][stackTrace] (or [message][providers][0][stackTrace][0] without force_array => false).
@Badger
I added
json {
source => "message"
}
and now the instruction
if [message][stack_trace] { }
works !
Sorry, but slowly I'm trying to understand logstash
1 Like
system
June 25, 2018, 2:08pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.