How to create Grok Filter Pattern for Tomcat logs

Jun 29, 2008 11:16:20 AM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Jun 29, 2008 11:16:20 AM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Jun 29, 2008 11:22:43 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet jsp threw exception
org.apache.jasper.JasperException: /testmysql.jsp(3,4) Invalid directive
at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40)
at org.apache.jasper.compiler.ErrorDispatcher.dispatch(ErrorDispatcher.java:407)
at org.apache.jasper.compiler.ErrorDispatcher.jspError(ErrorDispatcher.java:88)
at org.apache.jasper.compiler.Parser.parseDirective(Parser.java:506)
at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1433)
at org.apache.jasper.compiler.Parser.parse(Parser.java:133)
at org.apache.jasper.compiler.ParserController.doParse(ParserController.java:216)
at org.apache.jasper.compiler.ParserController.parse(ParserController.java:103)
at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:153)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:314)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:294)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:281)
at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:566)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:317)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:337)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)

My Tomcat logs are something like this .
I want to Know how to create Grok Filter Pattern for these type of logs

First of all, are you using a multiline codec (or Filebeat's multiline feature if you're using Filebeat to read the logs)?

If so, try using the grok constructor site to set up a grok expression.

@magnusbaeck thankyou for the reply
I have set up the filebeat and logstash configuration but i am facing the problem is that I am not able to query my result by timestamp as their are two time stamp (@timestamp and timestamp).

Pls help me

Regards
Shrikant

The presence of two timestamps isn't a problem in itself.

Use a date filter to parse timestamp into @timestamp, then delete timestamp.

@magnusbaeck thankyou for the reply
I applied the filter as my logstash config is

input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} [%{LOGLEVEL:level}]%{GREEDYDATA:messageText}%{IP:client}" }
}
date {
match => ["timestamp", "yyyy-MM-dd HH:mm:ss.SSS", "ISO8601"]
timezone => "UTC"
}
}
output{
elasticsearch {
hosts => "localhost:9200"
index => "roha"
}
stdout{}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.