Multiline Configuration / Java Stack Trace

cschlaefcke · September 19, 2018, 10:58am

Hi,

I just started working with docker elk and also have filebeat for some docker containers up and running (almost). One of my docker container (JIRA) is creating multiline output (mainly java exceptions / stack traces) and thanks to the excellent filebeat documentation I was able to fetch java stack traces as a single log entry.

I simply took this multiline configuration from the docs:

multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: false
multiline.match: after

But sometimes I have exception like this one:

java.lang.IllegalArgumentException: Cannot find Screen with id '13300'.
    at com.atlassian.jira.workflow.WorkflowActionsBean.getFieldScreenForView(WorkflowActionsBean.java:57)
    at com.atlassian.jira.workflow.AbstractJiraWorkflow.loadFieldScreenActions(AbstractJiraWorkflow.java:416)
    at com.atlassian.jira.workflow.AbstractJiraWorkflow.getActionsForScreen(AbstractJiraWorkflow.java:403)
    at com.atlassian.jira.web.action.admin.issuefields.screens.ViewFieldScreens.getWorkflowTransitionViews(ViewFieldScreens.java:139)
    at sun.reflect.GeneratedMethodAccessor1513.invoke(Unknown Source)
    ... 1 filtered
    at java.lang.reflect.Method.invoke(Method.java:498)
    at webwork.util.InjectionUtils$DefaultInjectionImpl.invoke(InjectionUtils.java:70)
    at webwork.util.InjectionUtils.invoke(InjectionUtils.java:56)
    at webwork.util.ValueStack.findValue(ValueStack.java:517)
    at webwork.util.ValueStack.findValue(ValueStack.java:216)
    at webwork.view.taglib.WebWorkBodyTagSupport.findValue(WebWorkBodyTagSupport.java:62)
    at webwork.view.taglib.BasicPropertyTag.doStartTag(BasicPropertyTag.java:54)
    at jsp.secure.admin.views.issuefields.screens.viewfieldscreens_jsp._jspx_meth_ww_005fproperty_005f5(viewfieldscreens_jsp.java:1327)

And from the beginning of the line

... 1 filtered

a new event will be discovered - somehow the multiline.pattern is not fetching it correctly even though the docs say:

a line that begins with spaces followed by the word  `at`  or  `...`

Any idea pointing me in the right direction would very much appreciated!

Best Regards,

Christian

cschlaefcke · September 19, 2018, 12:37pm

After I found the hint for testing my pattern first it is at least obvious that the current pattern is not matching the line with dots:

cschlaefcke · September 19, 2018, 1:01pm

Okay now - I´ve played around a bit with the pattern and it seems that the word boundary switch (\b) is causing problems. Even though I am not sure what exactly it was intended for - changing the pattern from:

multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'

to

multiline.pattern: '^[[:space:]]+(at|\.{3})|^Caused by:'

makes my filebeat configuration work like desired

system · October 17, 2018, 1:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.