I am trying to parse the thread dump data, which is below:
"NioProcessor-2" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]java.lang.Thread.State: RUNNABLE at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method) at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210) at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65) at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69) - locked <0x74c52678> (a sun.nio.ch.Util$1) - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet) - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl) at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80) at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)
Using, grok filter was able to filter the data. The match pattern used is below:
grok {
match => {"message" => "%{QUOTEDSTRING:thread_name} %{GREEDYDATA}: %{DATA:thread_state}\n%{SPACE}%{GREEDY:stack}"}
}
From the stack filed, in order to extract locked id, used another grok filter.
grok {
match => ["stack", "%{GREEDYDATA}%{SPACE} -%{SPACE}%{WORD:locked}%{SPACE}<%{BASE16NUM:locked_id}>"]
Here is the output:
{
"offset" => 30,
"input_type" => "log",
"count" => 1,
"message" => "\"NioProcessor-2\" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]\n java.lang.Thread.State: RUNNABLE\n at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n - locked <0x74c52678> (a sun.nio.ch.Util$1)\n - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
"type" => "threaddump",
"locked_id" => "0x74c501b0",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"@timestamp" => 2017-05-24T01:33:33.867Z,
"thread_name" => "NioProcessor-2",
"thread_state" => "RUNNABLE",
"locked" => "locked",
"**stack**" => "at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n - locked <0x74c52678> (a sun.nio.ch.Util$1)\n - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
}
The "Stack" field is having three "-locked" statements, but it extracted only one single locked statement. How to add a match to extract all three locked statements, i have added a match pattern inside grok, which will match the locked statement.
I don't understand is that it has multiple matches for the stack field, but it has written out only one match to the output.