Grok pattern for java exception

SandhyaRani · August 4, 2017, 7:55pm

Hi there!

I wanted to write grok match pattern for java exception

2016-12-16 21:28:05,668 ERROR [int-http-28] [nbiws::::] c.t.d.s.impl.DiagnosticServiceImpl - Error running a diagnostic workflow : 9003: Invalid arguments
com.twowire.dmc.listener.DeviceInteractionException: 9003: Invalid arguments
  at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:102) ~[cms-core-4.2.8.9.jar:4.2.8.9]
  at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:59) ~[cms-core-4.2.8.9.jar:4.2.8.9]
  at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:48) ~[cms-core-4.2.8.9.jar:4.2.8.9]

my logstash conf file:

input {
    beats{
  
  port => 5044
  }
}
filter {
     if "_grokparsefailure" in [tags] {
  grok {
match => { "message" => "%{TOMCATLOG:exceptionText} %
     {CATALINALOG:messageText}" }
    }
 }
 if "exception" not in [tags] {

        grok {
            match => {
                message => "%{DATESTAMP:timestamp} %{LOGLEVEL:level}( +)\[%{DATA:thread}\] \[%{DATA:mdc}\] %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}"
    #message => "%{DATESTAMP:timestamp} %{LOGLEVEL:level}( +)\[%{DATA:thread}\] \[%{DATA:mdc}\] %{JAVACLASS:class} - %{GREEDYDATA:logmsg}"
            }
            # Record that this is an "log" event.
            add_tag => ["log"]
      
        }

        if "log" in [tags] {

            grok {
                match => {
                    mdc => "%{DATA:username}:%{DATA:deviceId:int}:%{DATA:sessionId}:%{DATA:userInteraction:int}:%{GREEDYDATA:workflowName}"
                }
            }
            date {
                timezone => GMT
                match => [
                               # "16-12-16 21:58:20,606"
                    "timestamp", "yy-MM-dd HH:mm:ss,SSS"
                ]
            }

        }




    }          if [level] in ["ERROR", "error"] or [level] in ["FATAL", "fatal"]{
        mutate {
            add_tag => ["alert"]
        }
    }
   
   
 if [level] in ["TRACE", "trace"] {
        mutate {
        replace => {
        "level" => "%{level}, 0"
        }
      }
    }
     
    else if [level] in ["DEBUG", "debug"]{
        mutate {
            replace => {
            "level" => "%{level}, 1"
        }
        }
    }
   else if [level] in ["INFO", "info"]{
        mutate {
            replace => {
            "level" => "%{level}, 2"
        }
        }
    }
    else if [level] in ["WARN", "warn"]{
        mutate {
            replace => {
            "level" => "%{level}, 3"
        }
        }
    }
    else if [level] in ["ERROR", "error"]{
        mutate {
            replace => {
            "level" => "%{level}, 4"
        }
        }
    }
        else if [level] in ["FATAL", "fatal"]{
        mutate {
            replace => {
            "level" => "%{level}, 5"
        }
        }
    }
     


}
output {
    if "_grokparsefailure" in [tags] {
        stdout { codec => rubydebug {metadata => true }}
    }
if "log" in [tags]{
if "ERROR" in [level]{
    elasticsearch { hosts => ["x.com"] }
}
else if "WARN" in [level]{
    elasticsearch { hosts => ["x.com"] }
}
else if "INFO" in [level]{
    elasticsearch { hosts => ["x.com"] }
}
else if "FATAL" in [level]{
    elasticsearch { hosts => ["x..com"] }
}
}
}

when I run logstash im getting error "_grokparse failure"

any help please?
Thanks!

magnusbaeck · August 5, 2017, 5:43pm

For starters I'm pretty sure DATESTAMP won't match this kind of timestamp. Build your expression gradually, possibly using the grok constructor web site as help.

SandhyaRani · August 7, 2017, 3:33pm

I am trying to build pattern using grok debugger, its working fine.

Thanks for your help!

system · September 4, 2017, 3:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.