Hi,
I have a SystemError log which has two different formats for writing stacktraces.
One is:
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R com.ascd.qwer.common.SecurityViolationException: User Record not present.
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(ASDC.java:123)
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(oginEJBBean.java:1234)
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(Unknown Source)
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(_IIBTPLoginEJB_Stub.java:123)
[12/26/16 17:41:58:237 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(oginCheckCmd.java:123)
[12/26/16 17:41:58:238 GMT+05:30] 0000010c SystemErr R at com.ascd.qwer.zxcv(edirectNav.java:123)
Other is:
[12/26/16 17:29:14:664 GMT+05:30] 000012db SystemErr R com.ascd.qwer.common.SecurityViolationException: User Record not present.
at com.ascd.qwer.zxcv(ASDC.java:123)
at com.ascd.qwer.zxcv(oginEJBBean.java:1234)
at com.ascd.qwer.zxcv(Unknown Source)
at com.ascd.qwer.zxcv(_IIBTPLoginEJB_Stub.java:123)
at com.ascd.qwer.zxcv(oginCheckCmd.java:123)
at com.ascd.qwer.zxcv(edirectNav.java:123)
My current logstash config is this:
input {
file {
type => "SystemError"
path => "/path/to/file/*"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "^\s"
what => "previous"
}
}
}
filter {
grok {
match => { "message" => "\[%{DATA:timestamp}] %{BASE16NUM:threadID} (?<shortname>\b[A-Za-z0-9\$]{2,}\b)%{SPACE}%{WORD:loglevel}%{SPACE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS zZZ"]
}
But it only takes care of the second type. Please help. I need to append the stacktraces in the first type also to the message of the previous event.
Thanks.