How to have multiple matches for same filter in grok..?


#1

I am trying to parse the thread dump data, which is below:

"NioProcessor-2" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]java.lang.Thread.State: RUNNABLE at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method) at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210) at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65) at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69) - locked <0x74c52678> (a sun.nio.ch.Util$1) - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet) - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl) at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80) at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)

Using, grok filter was able to filter the data. The match pattern used is below:

grok {
      match => {"message" => "%{QUOTEDSTRING:thread_name} %{GREEDYDATA}: %{DATA:thread_state}\n%{SPACE}%{GREEDY:stack}"}
    }

From the stack filed, in order to extract locked id, used another grok filter.

grok {
        match => ["stack", "%{GREEDYDATA}%{SPACE} -%{SPACE}%{WORD:locked}%{SPACE}<%{BASE16NUM:locked_id}>"]

Here is the output:

    {
             "offset" => 30,
             "input_type" => "log",
             "count" => 1,
             "message" => "\"NioProcessor-2\" prio=10 tid=0x0a8d2800 nid=0x2737 runnable [0x49aa5000]\n   java.lang.Thread.State: RUNNABLE\n        at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n        at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n        at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n        at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n        - locked <0x74c52678> (a sun.nio.ch.Util$1)\n        - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n        - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n        at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n        at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
             "type" => "threaddump",
             "locked_id" => "0x74c501b0",
                "tags" => [
            [0] "beats_input_codec_plain_applied"
        ],
            "@timestamp" => 2017-05-24T01:33:33.867Z,
            "thread_name" => "NioProcessor-2",
            "thread_state" => "RUNNABLE",
            "locked" => "locked",
            "**stack**" => "at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)\n        at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:210)\n        at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:65)\n        at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)\n        - locked <0x74c52678> (a sun.nio.ch.Util$1)\n        - locked <0x74c52668> (a java.util.Collections$UnmodifiableSet)\n        - locked <0x74c501b0> (a sun.nio.ch.EPollSelectorImpl)\n        at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)\n        at external.org.apache.mina.transport.socket.nio.NioProcessor.select(NioProcessor.java:65)\n",
    }

The "Stack" field is having three "-locked" statements, but it extracted only one single locked statement. How to add a match to extract all three locked statements, i have added a match pattern inside grok, which will match the locked statement.

I don't understand is that it has multiple matches for the stack field, but it has written out only one match to the output.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.