Multiline hybris stacktrace with different dates

Elastic Stack Logstash
1

Hello everybody,
I have very bad issue. I need to parse a log such as:
INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | java.lang.NullPointerException INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.buildClassificationDataList(ProductFeatureListPopulator.java:78) INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.populate(ProductFeatureListPopulator.java:65) INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | java.lang.NullPointerException INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.buildClassificationDataList(ProductFeatureListPopulator.java:78) INFO | jvm 1 | main | 2015/04/11 17:25:58.569 | at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.populate(ProductFeatureListPopulator.java:65) INFO | jvm 1 | main | 2015/04/11 17:25:58.571 | at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.doFilterInternal(AbstractPlatformFilterChain.java:155) INFO | jvm 1 | main | 2015/04/11 17:25:58.571 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

As you see, this log have already had different dates. I want to get this log message as multiline:
java.lang.NullPointerException at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.buildClassificationDataList(ProductFeatureListPopulator.java:78) at de.hybris.platform.commercefacades.product.converters.populator.ProductFeatureListPopulator.populate(ProductFeatureListPopulator.java:65)
...
with only first date. But I can't( Here is my pipeline:
`input
{
file {
path => "/usr/stack.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "(?:(?:.?|)){3}(?<datetime_string>.?)|(?<l_message>.)$" }
}
mutate {
gsub => ["l_message","(\t)",""]
}
mutate {
gsub => ["l_message", "[\e]", "_"]
}
multiline {
pattern => "([a-zA-Z.]+(?:Exception).+)|(\s+at .+)|(\t+at .+)|(\s+... \d+ more)|(\sCaused by:.+)"
what => "previous"
}
mutate {
strip => "datetime_string"
}
if "multiline" in [tags] {
mutate {
update => { "datetime_string" => "%{[datetime_string][0]}" }
}
}

    date {
            match => [ "datetime_string" , "yyyy/MM/dd HH:mm:ss.SSS" ]
            timezone => "Etc/GMT"
    }
    mutate {
            remove_field => [ "file" ]
            remove_field => [ "offset" ]
            remove_field => [ "message" ]
            remove_field => [ "datetime_string" ]
    }

}
output
{
stdout {
codec => rubydebug
}
}`

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.