Logstash not parsing metadata from logfile

Elastic Stack Logstash
1 
Hi,
I am very new to ELK Stack, I have a requirement to parse specific metadata from a log entry,
Here is a sample log entry,

[ERROR] [2021-01-04 14:56:41,566] [http-nio-8080-exec-4] [com.blocks.bear.server.exception.ExceptionHelper.handleServerExceptions(ExceptionHelper.java:63)] - {
  "method": "getSection",
  "userId": "31369",
  "jobId": "A1706",
  "stacktrace": "javax.servlet.http.HttpServlet.service(HttpServlet.java:660): DfServiceException while logging into Docs
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.soap.server.RPCRouter.invoke(RPCRouter.java:146)
	"
}

My requirement is to get below mentioned fields as individual entries,

 method: getSection
 userId: 31369
 jobId: A1706
 stacktrace: javax.servlet.http.HttpServlet.service(HttpServlet.java:660): DfServiceException while logging into Docs
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

Here is my logstash.conf file specifications 

input { 
  file {
    type => "java"
    path => "C:/ELK/test_logs.log"
    codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601} "
      negate => "true"
      what => "previous"
	}
  }
}
filter{
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:date}%{GREEDYDATA:misc}{\n  (?m)%{GREEDYDATA:metadata}\n  (?m)%{GREEDYDATA:stacktrace}"}
  }
}
output {

  stdout {
    codec => rubydebug
  }
  
  elasticsearch {
    hosts => [ "localhost:9200" ]
  }
}

While I try to run the logstash and update the log file,
Logstash doesn't update the new entry until I stop it and before shutting down, it processes that entry but gives a grokparsefailure.

Any help would be highly appreciated.

Thanks
2

I would parse each line with a separate pattern

grok {
    break_on_match => false
    match => {
        "message => [
            "method: (?<method>[^\n]*)",
            "userId: (?<userId>[^\n]*)",
            "jobId: (?<jobId>[^\n]*)",
            ...
        ]
    }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.