Hi there!
I'm getting "grokparsefailure" error when I use "multiline" codec in the input, Is the "pattern" I had in my input is fine??
Here is my java exception message
2016-12-16 21:28:05,668 ERROR [int-http-28] [nbiws::::] c.t.d.s.impl.DiagnosticServiceImpl - Error running a diagnostic workflow : 9003: Invalid arguments
com.twowire.dmc.listener.DeviceInteractionException: 9003: Invalid arguments
at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:102) ~[cms-core-4.2.8.9.jar:4.2.8.9]
at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:59) ~[cms-core-4.2.8.9.jar:4.2.8.9]
at com.twowire.dmc.listener.DeviceInteractionTemplate.execute(DeviceInteractionTemplate.java:48) ~[cms-core-4.2.8.9.jar:4.2.8.9]
at com.twowire.dmc.service.impl.DiagnosticServiceImpl.runDiags(DiagnosticServiceImpl.java:78) [cms-core-4.2.8.9.jar:4.2.8.9]
at com.twowire.dmc.service.impl.DiagnosticServiceImpl.runDiags(DiagnosticServiceImpl.java:39) [cms-core-4.2.8.9.jar:4.2.8.9]
at com.twowire.dmc.service.impl.DiagnosticServiceImpl$$FastClassBySpringCGLIB$$f1fa12f7.invoke() [spring-core-4.1.6.RELEASE.jar:4.2.8.9]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-4.1.6.RELEASE.jar:4.1.6.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:717) [spring-aop-4.1.6.RELEASE.jar:4.1.6.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) [spring-aop-4.1.6.RELEASE.jar:4.1.6.RELEASE]
Logstash.conf file:
input {
stdin {
codec => multiline {
pattern => "^\s+(at|...)\s"
what => "previous"
# Record that this is an "exception" event.
multiline_tag => "exception"
}
}
}
filter {
if "exception" not in [tags] {
# example output:
# 2016-12-16 20:43:20,535 DEBUG [CWMP-processor-6] [00D09E-0000000001:1002:C5852D7218635D7B09FE0DDE0FBE75F5:0:] c.twowire.dmc.service.PolicySvcImpl - Device matched policy 1001
# encoder pattern (dmc/conf/logback.xml):
# %date{ISO8601} %-5level [%thread] [%X{username}:%X{deviceId}:%X{sessionId}:%X{userInteraction}:%X{workflowName}] %logger{35} - %msg%n
grok {
match => {
message => "%{DATESTAMP:timestamp} %{LOGLEVEL:level}( +)\[%{DATA:thread}\] \[%{DATA:mdc}\] %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}"
}
# Record that this is an "log" event.
add_tag => ["log"]
}
if "log" in [tags] {
grok {
match => {
mdc => "%{DATA:username}:%{DATA:deviceId:int}:%{DATA:sessionId}:%{DATA:userInteraction:int}:%{GREEDYDATA:workflowName}"
}
}
grok {
match => {
logmessage => "Ending Session. Elapsed Server Time %{INT:endSessionServerTime:int}ms. Elapsed client wait time %{INT:endSessionClientWaitTime:int}ms. Total is %{INT:endSessionTotalTime:int}ms."
}
add_tag => ["endSession"]
} date {
timezone => GMT
match => [
# "16-12-16 21:58:20,606"
"timestamp", "yy-MM-dd HH:mm:ss,SSS"
]
}
output {
if "_grokparsefailure" in [tags] {
stdout { codec => rubydebug }
}
if "log" in [tags]{
elasticsearch { hosts => ["xxx.lab.ts.com"] }
}
}
Could any one help me out where I'm going wrong?
Thanks!