Multiline Filter : How to group error logs with stacktrace to elastic search using logstash?

karthi.charles · July 21, 2023, 1:54pm

I am trying to group Error logs which having stacktrace information using multiline filter. Not sure how to set pattern correctly. Kindly help me to config the correct pattern.

This is my logging pattern,

INFO  | 2023-04-10 16:49:07, 721 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Establishing Connection - RemoteIP- ;Port- 
 ERROR | 2023-04-10 16:49:07, 703 | DI.Jobs.TcpListenerProcessBiDirection | TcpListenerProcessBiDirection | EstablishConnection | 0 | Server Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcessBiDirection.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 745 | DI.Helper.Common.AuditHelper+<>c__DisplayClass0_0 | AuditHelper+<>c__DisplayClass0_0 | <ConnectivityAudit>b__0 | 0 | Sending Connectivity Audit | JOB ID :54602046-5eed-47ca-827a-c1091f1ada92,job | Connectivity Status : False
 INFO  | 2023-04-10 16:49:07, 746 | Server.Jobs.Integration | Integration | Execute | 0 | String[] {}
 ERROR | 2023-04-10 16:49:07, 744 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Job ID :5b2b328c-d988-4e95-9e49-78b99db6cbfc,jobServer Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 755 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Establishing Connection - RemoteIP- ;Port- 
 ERROR | 2023-04-10 16:49:07, 757 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | EstablishConnection | 0 | Job ID :27eebba8-ed26-4822-a6d9-a98aa81dff22,jobServer Port :  | Client IP :  | Error in EstablishConnection|System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
 ERROR | 2023-04-10 16:49:07, 756 | DI.Jobs.TcpListenerProcess | TcpListenerProcess | StartProcess | 0 | System.IO.IOException: The process cannot access the file 'C:\ProgramData\Application\TempFiles\connectivity.json' because it is being used by another process.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
   at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
   at System.IO.File.InternalWriteAllText(String path, String contents, Encoding encoding, Boolean checkHost)
   at Monitor.Engine.Utility.JobConnectivityLogger.JobConnectivityAuditer(String JobID, Boolean connectivityStatus)
   at DI.Jobs.TcpListenerProcess.EstablishConnection(String RemoteIP, Int32 RemotePort, General oGeneral, ILog LoggerObject)
   at DI.Jobs.TcpListenerProcess.StartProcess(String RemoteIP, String LocalIP, Int32 LocalPort, Int32 RemotePort, MachineConfiguration oMachineConfiguration, ILog LoggerObject)
 INFO  | 2023-04-10 16:49:07, 763 | Server.Jobs.Integration | Integration | Execute | 0 | String[] {FWC-3 | Exiting}
 INFO  | 2023-04-10 16:49:07, 752 | DI.Helper.Common.AuditHelper+<>c__DisplayClass0_0 | AuditHelper+<>c__DisplayClass0_0 | <ConnectivityAudit>b__0 | 0 | Sending  Connectivity Audit | JOB ID :5b2b328c-d988-4e95-9e49-78b99db6cbfc,job | Connectivity Status : False

There are total of 10 log entries, but while filtering I am getting only 2 log entries.

This is my logstash config for multiline filter,

multiline {
     pattern => "(^.+Exception: .+)|(^s+at .+)"
     what => "previous"
     negate => "true"
   }

Logstash Output to ES

Kindly suggest me to separate, each log-level as separate entries in Elasticsearch.

Badger · July 21, 2023, 4:02pm

The first example in the documentation shows what pattern to use to handle this.

karthi.charles · July 26, 2023, 11:57am

Thanks Badger.

It is working for me with below pattern,

multiline {
    pattern => "\s+at\s+"
    what => "previous"
  }```

system · August 23, 2023, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline problem Logstash	6	2052	July 6, 2017
Help with Logstash Multiline parsing for Stacktraces Logstash	2	88	June 6, 2024
Need help with Parsing Multiline StackTrace Logstash	5	2796	July 31, 2019
How to handle Exceptions Logstash	10	2698	July 6, 2017
Split filter logstash Logstash	1	220	June 1, 2022

Multiline Filter : How to group error logs with stacktrace to elastic search using logstash?

Related topics