Not able to multiline this Log on the basis of timestamp pattern

NITIN-BHAISARE · November 3, 2016, 9:56am

Greetings,
I was trying to handle following kind of logs with multiline. I am not able to get all events starting from timestamp.
Could somebody please help me in making a good multiline pattern to get all the stack traces into single event.

2016-11-01 20:03:43,249 - ERROR - blackcole_abc.service.abcService - 8538490c-8a6e-4ad9-8397-30f636a6e924 - Cannot store data in abc: Failed abc API POST request https://writer.com/abc status code = 400, re
ason = Bad Request
Traceback (most recent call last):
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/service.py", line 44, in write
timestamp=str(int(epoc))
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/api_client.py", line 53, in submit
url, result.status_code, result.reason))
abcWriterClientError: Failed abc API POST request https://writer.com/abc status code = 400, reason = Bad Request
2016-11-01 20:03:43,250 - ERROR - blackcole_abc.service.abcService - 8538490c-8a6e-4ad9-8397-30f636a6e924 - Cannot write message
Traceback (most recent call last):
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole/core.py", line 167, in on_message
self.write(processed, properties.correlation_id, headers)
File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/blackcole_abc/service.py", line 49, in write
raise e
abcWriterClientError: Failed abc API POST request https://writer.com/abc status code = 400, reason = Bad Request

Thank You
Nitin Bhaisare

NITIN-BHAISARE · November 3, 2016, 10:15am

vvs14 · November 3, 2016, 10:34am

Grok Pattern

(?m)%{TIMESTAMP_ISO8601:timestamp}\s*-\s*%{LOGLEVEL_TEST:level}\s*-\s*%{GREEDYDATA:restOfMsg}

LOGLEVEL_TEST (ERROR|[E|e]rror)

Multiline pattern:
^%{TIMESTAMP_ISO8601}

Check on this link:
http://grokconstructor.appspot.com/do/match

NITIN-BHAISARE · November 3, 2016, 11:02am

Thanks @vvs14 ....you saved me

This worked
Actually I am very new to ELK stack. so i was stuck here for few days.
1 more question do i have to put following configuration in the filebeat.yml or in the logstash ?

multiline.pattern: '^%{TIMESTAMP_ISO8601}'
multiline.negate: true
multiline.match: after

NITIN-BHAISARE · November 3, 2016, 12:27pm

I put this configuration in the filebeat

But it is still not taking stack trace as an single event.
What am I missing

My architecture is like below
FILEBEAT --> Logstash Shipper --> RabbitMQ --> Logstash Indexer -->ES --> Kibana

Also the grok pattern i am using is

grok {
match => {"message" =>"^%{TIMESTAMP_ISO8601:timestamp}\s+-\s+%{LOGLEVEL:severity}\s+-\s+%{DATA:code_unit}\s+-\s+((%{UUID:correlation_id}\s+)?-\s+)?%{GREEDYDATA:message}$"}
overwrite => [ "message" ]
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}

I cannot use Redis. So could you please tell me what am i missing??

ruflin · November 4, 2016, 7:43am

Grok is not supported in Filebeat. If you want to use grok you must use Logstash. If you want to do the multiline on the filebeat side, you must use regexp.

NITIN-BHAISARE · November 6, 2016, 9:51am

@ruflin This is definitely the problem here.
I checked the regexp but i am not getting any idea how to single event above multiline message. Could you please tell which regexp to use also can we use multiple regexp in filebeat??

ruflin · November 7, 2016, 5:33pm

It's probably best that you have a look at the examples here. https://www.elastic.co/guide/en/beats/filebeat/5.0/multiline-examples.html#_examples_of_multiline_configuration

NITIN-BHAISARE · November 8, 2016, 5:11pm

@ruflin Thanks i will try this

system · November 24, 2016, 9:57am

This topic was automatically closed after 21 days. New replies are no longer allowed.