Multiline isn't working

jervdv · April 22, 2016, 1:06pm

I honestly have no idea why my multiline isn't working and here is a sample of my multiline config

multiline:
    pattern: ^INFO   \| jvm 1    \| main    \| [0-9]{4}\/[0-9]{2}\/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} \| [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}
    negate: true
    match: after

Here is a sample data of my log

INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 09:00:14,190 [clearCacheJob(node2)::de.foo.platform.servicelayer.internal.jalo.ServicelayerJob] ERROR [Job] Could not start own session due to Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | de.foo.platform.jalo.ConsistencyCheckException: Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl[HY-0]
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.startOwnSession(Job.java:1138)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.performImpl(Job.java:762)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.access$1(Job.java:752)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job$JobRunable.run(Job.java:657)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.util.threadpool.PoolableThread.run(PoolableThread.java:131)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | Caused by: java.lang.IllegalStateException: Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.CronJob.createSessionForCronJob(CronJob.java:1941)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.startOwnSession(Job.java:1134)
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	... 4 more
INFO   | jvm 1    | main    | 2016/03/01 09:00:14.259 | 
INFO   | jvm 1    | main    | 2016/03/01 09:53:55.650 | 09:53:55,601 [hybrisHTTP27] WARN  [UrlUtil] Unable to determine top level domain. Hostname is: testp1.piwo.pila.pl

He should make one log event like this:

    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 09:00:14,190 [clearCacheJob(node2)::de.foo.platform.servicelayer.internal.jalo.ServicelayerJob] ERROR [Job] Could not start own session due to Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | de.foo.platform.jalo.ConsistencyCheckException: Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl[HY-0]
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.startOwnSession(Job.java:1138)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.performImpl(Job.java:762)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.access$1(Job.java:752)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job$JobRunable.run(Job.java:657)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.util.threadpool.PoolableThread.run(PoolableThread.java:131)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | Caused by: java.lang.IllegalStateException: Session attribute for cronjob 'clearCacheJob(node2)' were null! [user:null, currency:8796093087777->EUR, language:8796093186080->nl
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.CronJob.createSessionForCronJob(CronJob.java:1941)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	at de.foo.platform.cronjob.jalo.Job.startOwnSession(Job.java:1134)
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.258 | 	... 4 more
    INFO   | jvm 1    | main    | 2016/03/01 09:00:14.259 |

steffens · April 25, 2016, 1:07pm

sure it should become one log event? the timestamp of last line looks pretty much off.

steffens · April 25, 2016, 1:19pm

This pattern '^(.*\|){4} (Caused by: |.*[a-zA-Z0-9\.]+Exception|[[:space:]]|$)' seems to work (test out here). The pattern skips the first 4 columns and checks a line starting with Cause by:, contains xxxxxException, begins with another whitespace ([[:space:]] pattern) or is empty line ($ operator).

When using yaml it's a good idea to put regular expression within single quotes '.

jervdv · May 3, 2016, 7:38am

The problem is this is just one example of a possible output of the stacktrace it can have all kind of formats.
The only thing i know is that when you have a time part after my last | a new event starts.

That is also why i made this multiline statement ^INFO | jvm 1 | main | [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} | [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}

When i test it out in regex101.com everything goes perfect.
So i think it has to do something with the parsing and/or the escape characters?

jervdv · May 3, 2016, 9:30am

Here is my config:

    filebeat:
      prospectors:
        -
          paths:
            - /var/log/app_console2.log

      input_type: log

      document_type: appConsole

  registry_file: /var/lib/filebeat/registry

multiline:
    pattern: ^INFO   \| jvm 1    \| main    \| [0-9]{4}\/[0-9]{2}\/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} \| [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}
    negate: true
    match: after

output:
  logstash:
    hosts: ["52.49.117.253:5044"]
    bulk_max_size: 1024

    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

shipper:

logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

Is there something wrong with the config formatting because when i use ^. as multiline pattern it doesn't even make it into one log event.

steffens · May 3, 2016, 11:53am

when using regexes in yaml prefer to put these within single quotes ' . YAML has 5 different kinda of string-formats with different escaping rules. single quotes is most safest option I think. Due to not having single quote yaml parser will likely remove escape characters \ from input such that you end up with big or filter.
regex101.com only has a few regex engines. There are big/small difference between different engines. The engine used by golang is based on re2. Try this tester and mark the 'POSIX ERE' checkbox.

Oh, I missed that. This should "simplify' the regex.
Your pattern with variable spacing becomes.