Logstash filter for displaying top exception names occurred in spring boot application

Mohammed_Siddiq · April 7, 2020, 3:22pm

Hi Magnus,

I have recently started using ELK, I have been assigned to do ELK integration in my project. I have installed 7.6.1 of ELK and filebeat. I need your assistance is configuring filter for logstash to achieve task mentioned below

What I have done until now ---

I have created a sample microservice which will create some dummy logs and exception when specific REST endpoint url is hit
microservices is configured with logback xml where they will dump all the logs in specific logback folder

3 filebeat will pickup all the logs and send it to logstash

logstash will forward the same logs to elastic search and can be viewed in Kibana

What I want to achieve ---

I want to visualize top- N exception names coming from the logs with respect to count ( I have attached the screenshot of kibana visualization for the same)
Top -N URIPATHS to be visualized in kibana wrt count
I wanted to see the whole stack trace as a single unit

please help....

my sample log file is as below --

2020-04-07 20:20:33.679 ERROR 41436 --- [ restartedMain] o.s.boot.SpringApplication : Application run failed

java.lang.IllegalStateException: Error processing condition on org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration.propertySourcesPlaceholderConfigurer
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:60) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:108) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForBeanMethod(ConfigurationClassBeanDefinitionReader.java:184) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:144) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:120) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:331) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:236) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:275) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:95) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:706) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:532) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at com.ibm.product.ProductsApplication.main(ProductsApplication.java:11) [classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_241]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.8.0_241]
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.2.5.RELEASE.jar:2.2.5.RELEASE]
Caused by: java.lang.IllegalStateException: Failed to introspect Class [com.ibm.product.service.KafkaConfig] from ClassLoader [org.springframework.boot.devtools.restart.classloader.RestartClassLoader@6c43b25f]
at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:481) ~[spring-core-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:358) ~[spring-core-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:414) ~[spring-core-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.lambda$getTypeForFactoryMethod$2(AbstractAutowireCapableBeanFactory.java:743) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(Unknown Source) ~[na:1.8.0_241]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:742) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:681) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:649) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1605) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:520) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:491) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.collectBeanNamesForType(OnBeanCondition.java:230) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:223) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:213) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchingBeans(OnBeanCondition.java:167) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:142) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47) ~[spring-boot-autoconfigure-2.2.5.RELEASE.jar:2.2.5.RELEASE]
... 22 common frames omitted
Caused by: java.lang.NoClassDefFoundError: ProducerFactory
at java.lang.Class.getDeclaredMethods0(Native Method) ~[na:1.8.0_241]
at java.lang.Class.privateGetDeclaredMethods(Unknown Source) ~[na:1.8.0_241]
at java.lang.Class.getDeclaredMethods(Unknown Source) ~[na:1.8.0_241]
at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:463) ~[spring-core-5.2.4.RELEASE.jar:5.2.4.RELEASE]
... 38 common frames omitted
Caused by: java.lang.ClassNotFoundException: ProducerFactory
at java.net.URLClassLoader.findClass(Unknown Source) ~[na:1.8.0_241]
at java.lang.ClassLoader.loadClass(Unknown Source) ~[na:1.8.0_241]
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) ~[na:1.8.0_241]
at java.lang.ClassLoader.loadClass(Unknown Source) ~[na:1.8.0_241]
at org.springframework.boot.devtools.restart.classloader.RestartClassLoader.loadClass(RestartClassLoader.java:144) ~[spring-boot-devtools-2.2.5.RELEASE.jar:2.2.5.RELEASE]
at java.lang.ClassLoader.loadClass(Unknown Source) ~[na:1.8.0_241]
... 42 common frames omitted

Below is my sample config file

input {
beats{
port => 5044

}
}

filter {

if [message] =~ "\tat" {
grok {
match => ["message", "^(\tat)"]
add_tag => ["stacktrace"]
}
}

if [message] == "ERROR"{
grok{
match => {"message" => "%TIMESTAMP_ISO8601:timestamp} % {SPACE} % {LOGLEVEL:loglevel}
%{SPACE} % {INT:pid} % {SPACE}---%{SPACE} [%{DATA:threadname}] % {SPACE} % {JAVACLASS:className}
% {SPACE} : %{SPACE} Exception - %{JAVACLASS:exceptionName} : %{SPACE} % {DATA:exceptionMesaage}
\n (?m) % {GREEDYDATA:stacktrace}"
}
}

}

output {
elasticsearch{
hosts => "http://localhost:9200"
index => "filebeat"
}
}

I am getting below error for above config file --

C:\logstash-7.6.1\logstash-7.6.1\config>
C:\logstash-7.6.1\logstash-7.6.1\config>
C:\logstash-7.6.1\logstash-7.6.1\config>logstash -f logstashtest.conf
Sending Logstash logs to C:/logstash-7.6.1/logstash-7.6.1/logs which is now configured via log4j2.properties
[2020-04-07T20:27:16,201][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-04-07T20:27:16,333][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.6.1"}
[2020-04-07T20:27:18,118][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [A-Za-z0-9_-], [ \t\r\n], "#", "=>" at line 31, column 18 (byte 564) after filter {\n\nif [message] =~ "\tat" {\n grok {\n match => ["message", "^(\tat)"]\n add_tag => ["stacktrace"]\n }\n }\nif [message] == "ERROR"{\n\tgrok{\n\t\tmatch => {"message" => "%TIMESTAMP_ISO8601:timestamp} % {SPACE} % {LOGLEVEL:loglevel}\n%{SPACE} % {INT:pid} % {SPACE}---%{SPACE} \[%{DATA:threadname}] % {SPACE} % {JAVACLASS:className}\n% {SPACE} : %{SPACE} Exception - %{JAVACLASS:exceptionName} : %{SPACE} % {DATA:exceptionMesaage}\n\n (?m) % {GREEDYDATA:stacktrace}"\n\t}\n}\t\n \n}\n \n\n\n\noutput {\n elasticsearch", :backtrace=>["C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/compiler.rb:47:in compile_imperative'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/compiler.rb:55:in compile_graph'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/compiler.rb:17:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in map'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/compiler.rb:14:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "C:/logstash-7.6.1/logstash-7.6.1/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}
[2020-04-07T20:27:18,590][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-04-07T20:27:23,312][INFO ][logstash.runner ] Logstash shut down.

Badger · April 7, 2020, 3:38pm

The error message is telling you that you are missing a } to close the filter section before starting the output section.

If you want the stack trace as a single unit you will need a multiline configuration in filebeat.

Mohammed_Siddiq · April 8, 2020, 6:01am

Hi,

I have not missed the bracket in my conf file. I added the multiline in filebeat and its working fine but still struck will the logstash filter to print top N exceptions in Kibana.

below is my conf file

input {
beats{
port => 5044

}
}

filter {

if [message] =~ "\tat" {
grok {
match => ["message", "^(\tat)"]
add_tag => ["stacktrace"]
}
}
if [message] == "ERROR"{
grok{
match => {"message" => "%TIMESTAMP_ISO8601:timestamp} % {SPACE} % {LOGLEVEL:loglevel}
%{SPACE} % {INT:pid} % {SPACE}---%{SPACE} [%{DATA:threadname}] % {SPACE} % {JAVACLASS:className}
% {SPACE} : %{SPACE} Exception - %{JAVACLASS:exceptionName} : %{SPACE} % {DATA:exceptionMesaage}
\n (?m) % {GREEDYDATA:stacktrace}"
}
}

}

output {
elasticsearch{
hosts => "http://localhost:9200"
index => "filebeat"
}
}

system · May 6, 2020, 6:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Java.lang.illegalstateexception Logstash	2	392	December 24, 2019
Grok filter behaviour different for some messages Logstash	2	927	December 22, 2016
[ERROR] 2019-01-08 10:18:42.313 [main] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit Logstash	12	19731	March 6, 2019
Exception on configuring Logstash Logstash	5	1358	June 25, 2018
Displaying the Full Exception and Caused By Message Beats filebeat	5	2258	September 4, 2018

Logstash filter for displaying top exception names occurred in spring boot application

Related topics