When you have an add_field declaration in a filter it means "add the fields if the filter is successful", but in your second grok filter you're specifying any matches criteria so the filter probably doesn't consider itself successful. Use a mutate filter instead:
Also, avoid using multiple GREEDYDATA patterns. In this case you're probably okay most of the time but it can really mess things up if one isn't careful. In this case I suggest using %{JAVACLASS:class} or %{NOTSPACE:class} instead (and consider naming the field e.g. logger since that describes better what the field actually contains).
The Kibana query. If, as I said, the problem is that seeing all kinds of events and not just those with the msg_error field set. Also, you're still using the grok filter even though I suggest that you use a mutate filter. That might work but it doesn't look right.
Ya right, it is working when the word is only Exception. but i need the solution for IOException and NullPointerException(search with the Exception, IOException and other exception are not searched)
Here i am getting am getting a new problem (-grokparsefailure) when this type of log is loading into ES
Ya right, it is working when the word is only Exception. but i need the solution for IOException and NullPointerException(search with the Exception, IOException and other exception are not searched)
Whether it's just Exception or IOException doesn't matter. if "Exception" in [msg] is a "stupid" substring search that doesn't care about word boundaries.
-> is there any need to add the new pattern in filter ??
There's a trailing space in your pattern that shouldn't be there. Also, square brackets are metacharacters so [%{NUMBER:thread}] must be \[%{NUMBER:thread}\].
Next time please don't post screenshots. Use the copy/paste feature that I'm sure you're you're familiar with.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
