Not able to multiline this Log on the basis of timestamp pattern

Elastic Stack Beats
1

Greetings,
I was trying to handle following kind of logs with multiline. I am not able to get all events starting from timestamp.
Could somebody please help me in making a good multiline pattern to get all the stack traces into single event.

2016-11-01 20:03:43,249 - ERROR - blackcole_abc.service.abcService - 8538490c-8a6e-4ad9-8397-30f636a6e924 - Cannot store data in abc: Failed abc API POST request https://writer.com/abc status code = 400, re
ason = Bad Request
Traceback (most recent call last):
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/service.py", line 44, in write
timestamp=str(int(epoc))
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/api_client.py", line 53, in submit
url, result.status_code, result.reason))
abcWriterClientError: Failed abc API POST request https://writer.com/abc status code = 400, reason = Bad Request
2016-11-01 20:03:43,250 - ERROR - blackcole_abc.service.abcService - 8538490c-8a6e-4ad9-8397-30f636a6e924 - Cannot write message
Traceback (most recent call last):
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole/core.py", line 167, in on_message
self.write(processed, properties.correlation_id, headers)
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/service.py", line 49, in write
raise e
abcWriterClientError: Failed abc API POST request https://writer.com/abc status code = 400, reason = Bad Request

Thank You
Nitin Bhaisare

2

Pasted image1860×933 117 KB

3

Grok Pattern

(?m)%{TIMESTAMP_ISO8601:timestamp}\s*-\s*%{LOGLEVEL_TEST:level}\s*-\s*%{GREEDYDATA:restOfMsg}

LOGLEVEL_TEST (ERROR|[E|e]rror)

Multiline pattern:
^%{TIMESTAMP_ISO8601}

Check on this link:
http://grokconstructor.appspot.com/do/match

4

Thanks @vvs14 ....you saved me :relaxed:

This worked
Actually I am very new to ELK stack. so i was stuck here for few days.
1 more question do i have to put following configuration in the filebeat.yml or in the logstash ?

multiline.pattern: '^%{TIMESTAMP_ISO8601}'
multiline.negate: true
multiline.match: after

5

I put this configuration in the filebeat

960×358 9.26 KB

But it is still not taking stack trace as an single event.
What am I missing

My architecture is like below
FILEBEAT --> Logstash Shipper --> RabbitMQ --> Logstash Indexer -->ES --> Kibana

Also the grok pattern i am using is

grok {
match => {"message" =>"^%{TIMESTAMP_ISO8601:timestamp}\s+-\s+%{LOGLEVEL:severity}\s+-\s+%{DATA:code_unit}\s+-\s+((%{UUID:correlation_id}\s+)?-\s+)?%{GREEDYDATA:message}$"}
overwrite => [ "message" ]
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}

I cannot use Redis. So could you please tell me what am i missing??

6

Grok is not supported in Filebeat. If you want to use grok you must use Logstash. If you want to do the multiline on the filebeat side, you must use regexp.

7

@ruflin This is definitely the problem here.
I checked the regexp but i am not getting any idea how to single event above multiline message. Could you please tell which regexp to use also can we use multiple regexp in filebeat??

8

It's probably best that you have a look at the examples here. https://www.elastic.co/guide/en/beats/filebeat/5.0/multiline-examples.html#_examples_of_multiline_configuration

9

@ruflin Thanks i will try this

10

This topic was automatically closed after 21 days. New replies are no longer allowed.