Grok multiline parse failures

Jordan160 · October 19, 2017, 6:47pm

Hello,

I am fairly new to ELK stack and currently am having issues with GROK filter.

My pattern matches when using http://grokconstructor.appspot.com, but it still seems to be breaking on a particular log pattern that has multiple lines/spaces.

Example log:

2017-10-19 13:35:03,732 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service jboss.undertow.listener.default: org.jboss.msc.service.StartException in service jboss.undertow.listener.default: Could not start http listener
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:150)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Pattern I'm using:

match => [ message => "(?m)%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}%{SPACE}[%{DATA:class}]\s(%{DATA:thread})\s(?(.|\r|\n)*)" ]

Any suggestions is greatly appreciated.

magnusbaeck · October 19, 2017, 7:17pm

Why do you need all the (?(.|\r|\n)*) stuff at the end? Don't you want to catch everything after the thread name in one field?

Don't use DATA in multiple places. You don't need it. Use (?<class>[^\]]+) and (?<thread>[^)]+) instead. (Side node: I suspect "class" is the wrong fieldname. I suspect it's actually the logger name, although the logger name usually happens to be the same as the class name.)

Jordan160 · October 19, 2017, 7:36pm

Thanks for the reply.

I've replaced class/thread with your suggestions. My goal is to capture everything after thread into a field "logmessage".

I've tried: (?(.|\r|\n)*) and %{GREEDYDATA:logmessage} but both appear to not parse the next lines and give me the grokparseerror:

magnusbaeck · October 19, 2017, 8:01pm

I'm pretty sure GREEDYDATA matches newlines. What if you leave out that part at the end, does that make the grok expression work?

Jordan160 · October 19, 2017, 8:12pm

It does not work because it tries to evaluate the next line as a new line still:

I've tried switching the pattern between pattern => "^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}" and pattern => "^(?!201)" but it is still not parsing these lines correctly.

magnusbaeck · October 20, 2017, 4:41am

Oh, so it's really a multiline codec problem. That wasn't clear at all. Don't use the multiline codec with the Beats input. Do multiline processing on the Filebeat side. Its documentation contains an example of almost exactly your kind of log.

Jordan160 · October 20, 2017, 3:58pm

That did the trick, thanks a bunch for your help!

system · November 17, 2017, 3:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Pattern For Java stack traces Logstash	1	476	December 14, 2022
Need to parse multi-lines log message Logstash	4	122	May 27, 2024
(Help needed) Same grok pattern, multiple matches Logstash	2	586	January 24, 2018
Grok Filter only parses the first event matching the pattern Logstash	1	416	April 5, 2019
Multiline filter fails on one record when handling a large file Logstash	12	3280	July 6, 2017

Grok multiline parse failures

Related Topics