Multiline Filter : How to group error logs with stacktrace to elastic search using logstash?

I am trying to group Error logs which having stacktrace information using multiline filter. Not sure how to set pattern correctly. Kindly help me to config the correct pattern.

This is my logging pattern,

INFO  | 2023-04-10 16:49:07, 721 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Establishing Connection - RemoteIP- ;Port- 
 ERROR | 2023-04-10 16:49:07, 703 | DI.Jobs.TcpListenerProcessBiDirection | TcpListenerProcessBiDirection | EstablishConnection | 0 | Server Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcessBiDirection.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 745 | DI.Helper.Common.AuditHelper+<>c__DisplayClass0_0 | AuditHelper+<>c__DisplayClass0_0 | <ConnectivityAudit>b__0 | 0 | Sending Connectivity Audit | JOB ID :54602046-5eed-47ca-827a-c1091f1ada92,job | Connectivity Status : False
 INFO  | 2023-04-10 16:49:07, 746 | Server.Jobs.Integration | Integration | Execute | 0 | String[] {}
 ERROR | 2023-04-10 16:49:07, 744 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Job ID :5b2b328c-d988-4e95-9e49-78b99db6cbfc,jobServer Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 755 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Establishing Connection - RemoteIP- ;Port- 
 ERROR | 2023-04-10 16:49:07, 757 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Job ID :27eebba8-ed26-4822-a6d9-a98aa81dff22,jobServer Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 ERROR | 2023-04-10 16:49:07, 756 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | StartProcess | 0 | System.IO.IOException: The process cannot access the file 'C:\ProgramData\Application\TempFiles\connectivity.json' because it is being used by another process.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
   at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
   at System.IO.File.InternalWriteAllText(String path, String contents, Encoding encoding, Boolean checkHost)
   at Monitor.Engine.Utility.JobConnectivityLogger.JobConnectivityAuditer(String JobID, Boolean connectivityStatus)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
   at DI.Jobs.TcpListenerProcess.StartProcess(String RemoteIP, String LocalIP, Int32 LocalPort, Int32 RemotePort, MachineConfiguration oMachineConfiguration, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 763 | Server.Jobs.Integration | Integration | Execute | 0 | String[] {FWC-3 | Exiting}
 INFO  | 2023-04-10 16:49:07, 752 | DI.Helper.Common.AuditHelper+<>c__DisplayClass0_0 | AuditHelper+<>c__DisplayClass0_0 | <ConnectivityAudit>b__0 | 0 | Sending  Connectivity Audit | JOB ID :5b2b328c-d988-4e95-9e49-78b99db6cbfc,job | Connectivity Status : False

There are total of 10 log entries, but while filtering I am getting only 2 log entries.

This is my logstash config for multiline filter,

multiline {
     pattern => "(^.+Exception: .+)|(^s+at .+)"
     what => "previous"
     negate => "true"
   }

Logstash Output to ES

Kindly suggest me to separate, each log-level as separate entries in Elasticsearch.

The first example in the documentation shows what pattern to use to handle this.

1 Like

Thanks Badger.

It is working for me with below pattern,

multiline {
    pattern => "\s+at\s+"
    what => "previous"
  }```

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.