JAVALOGMESSAGE takes it all

i am starting to analyze logs with filebeat and logstash. Inside the grok definition i am using JAVALOGMESSAGE to extract the pure message. From my understanding the pattern "(.*)" should mean something like "take any character but not a line break"
But when i let it run on a log entry, where an exception is contained, it returns the message AND the complete exception AND the complete stack trace, although i can see the \n in the message text.

In filebeat the multiline option is activated.
What am i doing wrong here?

Here is my logstash config:

input {
beats {
    port => "5045"
}
}

 filter {
   grok {
    	break_on_match => false
    	match =>  [ "message", "(?<timestamp>%{TIMESTAMP_ISO8601}) (?<log_level>%{LOGLEVEL}) (?<logger_name>%{LOGGER}) - (?<log_message>%{JAVALOGMESSAGE})" ]
  }
date{
match => [ "timestamp_string", "ISO8601"]
    remove_field => [ "timestamp_string" ]
  }
}

output {
stdout { codec => rubydebug }
  #  elasticsearch { hosts => [ "localhost:9200" ] }
}

reply by myself. I let the JAVALOGMESSAGE now and added a "manual" configuration like that:

	match =>  [ "message", "(?<timestamp>%{TIMESTAMP_ISO8601})%{SPACING}(?<log_level>%{LOGLEVEL})%{SPACING}(?<logger_name>%{LOGGER})%{SPACING}-%{SPACING}(?<log_message>[a-zA-Z$_0-9 \S]*)%{SPACING}(?<exceptionComplete>%{GREEDYDATA})" ]

And this is doing what i want. I probably forgot some characters inside the log_message declaration, but this i will add later on.

I still do not understand, why "(.*)" is not working like wished.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.