(Help needed) Same grok pattern, multiple matches

Arthur_Silva_Sens · December 27, 2017, 1:58pm

Greetings,

I'm having a difficult time to classify some JBOSS logs when it sends me java exceptions.

Here is my logstash.config

filter {
  grok {
    match => { "message" => "\.(?<java_exception>(.)*Exception):(.|\r|\n)*" }
  }
}

And here a message example

Throwable while attempting to get a new connection: null
org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: Cannot open database "database" requested by the login. The login failed.

What I get in return is:

{
  "java_exception": "jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException"
}

What I would like to get in return is an array

{
  "java_exception": ["JBossResourceException", "SQLServerException"]
}

Does anyone knows if it is possible?

Thanks in advance.

Arthur_Silva_Sens · December 27, 2017, 3:55pm

I've altered my grok filter to this:

\.(?<java_exception>([A-z])*Exception):(.|\r|\n)*

So now I get a better result:

{
  "java_exception": "JBossResourceException"
}

But still, I needed both matches:

{
  "java_exception": ["JBossResourceException", "SQLServerException"]
}

Anything that could help?

system · January 24, 2018, 3:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.