Grok filter for different type of messages

ShruthiS · December 6, 2017, 6:06pm

Hi,

I am trying to parse cloud foundry log messages. there are different types of messages added by cloud foundry and one type is APP. there are different APP messages like the standart APACHELOG format, stack traces and exit statements as below.
2017-11-30T14:30:39.498-07:00 [APP/PROC/WEB/0] [OUT] Exit status 143
2017-11-30T14:00:41.314-07:00 [APP/PROC/WEB/1] [OUT] 2017-11-30 21:00:41.314 WARN 20 --- [io-8080-exec-10] c.g.g.c.r.filter.FilterRepositoryImpl : Could not create predicate. enabled is not a member of IssueSummaryEntity
2017-11-30T14:31:39.996-07:00 [APP/PROC/WEB/0] [OUT] \/ _)| |)| | | | | || (| | ) ) ) )
2017-11-30T14:31:39.997-07:00 [APP/PROC/WEB/0] [OUT] :: Spring Boot :: (v1.5.1.RELEASE)
2017-11-30T14:37:53.316-07:00 [APP/PROC/WEB/0] [OUT] ORA-06512: at line 1
2017-11-30T14:37:53.316-07:00 [APP/PROC/WEB/0] [OUT] ; nested exception is java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (GIMS.AK_CPV_VIN) violated
2017-11-30T14:37:53.316-07:00 [APP/PROC/WEB/0] [OUT] at com.gm.gims.ctf.repository.program.VehicleRepositoryImpl.batchModifyVehicles(VehicleRepositoryImpl.java:143) ~[classes/:na]

i am using the following filter to parse till the actual message.

filter {
if "APP" in [message]{
grok {
match => {
"message" => ["%{TIMESTAMP_ISO8601:pcfTime} [%{PROG:log_Type}] [%{WORD:log_channel}] %{GREEDYDATA:msg}"]
}
if [msg] =~ "at" {
grok {
match => ["msg", "^(at)"]
add_tag => ["stacktrace"]
}
}
if [msg] =~ "Caused by:" {
grok {
match => ["msg", "^(Caused by:)"]
add_tag => ["stacktrace"]
}
}
if [msg] =~ "ORA" {
grok {
match => ["msg", "^(ORA)"]
add_tag => ["OracleError"]
}
}
}
grok {
match => {
"msg" => ["%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log_level} %{NUMBER} --- [%{USERNAME}] %{NOTSPACE:ClassName} %{GREEDYDATA:msg}",
"%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log_level} %{NUMBER} --- [%{SPACE}%{WORD}] %{NOTSPACE:ClassName} %{GREEDYDATA:msg}"]
}
}
}

the if conditions which are testing if msg has "at" / "Caused by"/ "ORA" words are not working.

I would like to check if the msg starts with "at" / "Caused by"/ "ORA" words and add a suitable tag to the message.

Please provide some suggestions to parse all type of log statements i have provided above.

Thanks,
ShruthiS

system · January 3, 2018, 6:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.