Parsing python traceback in multiline mode

(Sergey Paramoshkin) #1

Hi, maybe someone had a problem parsing the logs, where there is a python stacktrace.
What should be the regex pattern

filebeat configuration:

        pattern: ^\[
        negate: false
        match: after

os configuration:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

logs sample

ERROR 2016-06-08 15:24:15,132 - Checking java processes failed
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ambari_agent/", line 212, in javaProcs
    cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read()

(ruflin) #2

Did you have a look here? In case you have ERROR on each new multiline, you could go for checking for ERROR.

(Steffen Siering) #3

home come you opted for ^\[ as your regex pattern? If log levels are known you can try:

pattern: 'ERROR|INFO|DEBUG|WARN' with negate:true and so on. Alternatively (if it's just stack traces) try
pattern: '^Traceback|^[[:space:]]+' with negate: false.

Here is some test script (click run button):

Don't use single events when testing multiline (or reporting issues). Adding additional potential logs can change the required pattern.

(system) #4

This topic was automatically closed after 21 days. New replies are no longer allowed.