Multiple matches in grok won't work

Elastic Stack Logstash
1

Hi,
my logs :

[9/16/18 19:00:22:154 CEST] 00001609 SystemOut     O 2018-09-16 19:00:22,154 ERROR [ContentQueueWorker_ADR_Worker background task processing6064] - Failed to delete Centera clip id 840VGECLTS8FAe7GT8CKT6LF91AG41CHNC9VU204BR9L02LJTO2BD (Centera error code: -10005)
com.filepool.fplibrary.FPLibraryException: com.emc.vipr.cashead.api.InternalObjectException: Unable to set object metadata for: 840VGECLTS8FAe7GT8CKT6LF91AG41CHNC9VU204BR9L02LJTO2BD
	at com.emc.vipr.cashead.impl.vipr.ExceptionTranslator.translateError(ExceptionTranslator.java:40)
	at com.emc.vipr.cashead.impl.vipr.BlobClientObjectDatastore.setObjectMetadata(BlobClientObjectDatastore.java:321)
	at com.emc.vipr.cashead.storageserver.access.transaction.delete.UpdateMetadata.performAction(UpdateMetadata.java:32)
[9/16/18 19:00:22:154 CEST] 00001609 SystemOut     O 1032332946 [ContentQueueWorker_ADR_Worker background task processing6064] ERROR filenet_error.fixed_content_provider.com.filenet.engine.content.fcprovider.centera.CenteraAdaptor  - Failed to delete Centera clip id 840VGECLTS8FAe7GT8CKT6LF91AG41CHNC9VU204BR9L02LJTO2BD (Centera error code: -10005)
com.filepool.fplibrary.FPLibraryException: com.emc.vipr.cashead.api.InternalObjectException: Unable to set object metadata for: 840VGECLTS8FAe7GT8CKT6LF91AG41CHNC9VU204BR9L02LJTO2BD
	at com.emc.vipr.cashead.impl.vipr.ExceptionTranslator.translateError(ExceptionTranslator.java:40)
	at com.emc.vipr.cashead.impl.vipr.BlobClientObjectDatastore.setObjectMetadata(BlobClientObjectDatastore.java:321)
[9/17/18 12:30:11:507 CEST] 000016f7 SystemOut     O 2018-09-17 12:30:11,507  WARN [CSEIndexProcessor$BatchExecutor_null_Worker background task processing7140] - No text was produced from the extraction process for /opt/filenet/collections_temp/sl008848/cpe1member01/OS{B0E9EAD3-6229-407F-AD9E-443B23620D16}/FN17/FN10/FN22/FN{4011E765-0000-CF12-AFA2-A450427591D0}{514DD4A4-6D3B-48B2-B400-CB2ECE734A75}-0.pdf object:{4011E765-0000-CF12-AFA2-A450427591D0} class:InvoicePaymentOrderBookingVoucher Reason: NO_TEXT_EXTRACTED
[7/30/18 4:25:27:036 CEST] 0000011e SetDateProper I de.abs.ecm.filenet.eventactions.SetDatePropertyOnVersionPromotion onPromoteVersionEvent Property SentOn an Dokument ID={20DCE864-0000-CB14-A6A5-2AC66640F647} auf den Wert 2018-07-30 04:25:26.933 gesetzt.
[7/30/18 9:32:54:708 CEST] 0000006f InheritDossie E de.abs.ecm.filenet.eventactions.InheritDossierPropertiesOnFiledIn inheritDossierProperties Bei der Ausführung einer EventAction ist ein Fehler aufgetreten: Das Dokument ID={806BC764-0200-C1AB-ACED-49213624A58B} liegt in mehr als einem Ordner vor, Zuweisung der Sicherheitseinstellungen nicht möglich
    java.lang.Runtime.
	at com.emc.vipr.cashead.impl.vipr.ExceptionTranslator.translateError(ExceptionTranslator.java:40)
	at com.emc.vipr.cashead.impl.vipr.BlobClientObjectDatastore.setObjectMetadata(BlobClientObjectDatastore.java:321)
[9/17/18 15:01:43:995 CEST] 0000176f InheritDossie I de.abs.ecm.filenet.eventactions.InheritDossierPropertyValues setProperty Property konnte nicht gesetzt werden, da nicht gefunden: AnualTurnOver

my logstash configuration:

input { beats {port => 5044 } }

filter {


# CPE JVM log pattern
 if [fields][log_type] == "SystemOut-CPE-JVM" {
 grok {
 break_on_match => false
 match => { "message" => "%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:log-source} [ ]* %{WORD:sev} %{NOTSPACE} \[%{DATA}\] %{LOGLEVEL:log-level} %{GREEDYDATA:msg}" }
 match => { "message" => "%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:log-source} [ ]* %{WORD:sev} %{TIMESTAMP_ISO8601} %{LOGLEVEL:log-level} %{GREEDYDATA:msg}" }
 match => { "message" => "%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:log-source} [ ]* %{WORD:sev} %{TIMESTAMP_ISO8601} [ ]* %{LOGLEVEL:log-level} %{GREEDYDATA:msg}" }
 match => { "message" => "%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:log-source} [ ]* %{DATA:sev} %{NOTSPACE} %{GREEDYDATA:msg}" }
 match => { "message" => "%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:log-source} %{WORD:sev} %{NOTSPACE:package} %{WORD:methode} %{GREEDYDATA:msg}" }
  }
  mutate { replace => [ "type", "SystemOut-CPE-JVM_log" ] }
}

}
output {

stdout { codec => rubydebug }

  elasticsearch {
        hosts => ["localhost:9200"]
        index => "test_1"
}
}

the main problem is i'm not able to parse all above logs together, but it work fine when i parse the log-entries separately.
I set up the break_on_match to false but still not working for all matches together.

any idea why it's not working, thanks in advance

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.