How to have multiple matches for same filter in grok..?

I am trying to parse the thread dump data, which is below:

"NioProcessor-2" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]java.lang.Thread.State: RUNNABLE at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method) at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210) at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65) at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69) - locked <0x74c52678> (a sun.nio.ch.Util$1) - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet) - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl) at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80) at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)

Using, grok filter was able to filter the data. The match pattern used is below:

grok {
      match => {"message" => "%{QUOTEDSTRING:thread_name} %{GREEDYDATA}: %{DATA:thread_state}\n%{SPACE}%{GREEDY:stack}"}
    }

From the stack filed, in order to extract locked id, used another grok filter.

grok {
        match => ["stack", "%{GREEDYDATA}%{SPACE} -%{SPACE}%{WORD:locked}%{SPACE}<%{BASE16NUM:locked_id}>"]

Here is the output:

    {
             "offset" => 30,
             "input_type" => "log",
             "count" => 1,
             "message" => "\"NioProcessor-2\" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]\n   java.lang.Thread.State: RUNNABLE\n        at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n        at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n        at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n        at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n        - locked <0x74c52678> (a sun.nio.ch.Util$1)\n        - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n        - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n        at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n        at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
             "type" => "threaddump",
             "locked_id" => "0x74c501b0",
                "tags" => [
            [0] "beats_input_codec_plain_applied"
        ],
            "@timestamp" => 2017-05-24T01:33:33.867Z,
            "thread_name" => "NioProcessor-2",
            "thread_state" => "RUNNABLE",
            "locked" => "locked",
            "**stack**" => "at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n        at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n        at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n        at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n        - locked <0x74c52678> (a sun.nio.ch.Util$1)\n        - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n        - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n        at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n        at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
    }

The "Stack" field is having three "-locked" statements, but it extracted only one single locked statement. How to add a match to extract all three locked statements, i have added a match pattern inside grok, which will match the locked statement.

I don't understand is that it has multiple matches for the stack field, but it has written out only one match to the output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.