Parsing python traceback in multiline mode

Hi, maybe someone had a problem parsing the logs, where there is a python stacktrace.
What should be the regex pattern

filebeat configuration:

        pattern: ^\[
        negate: false
        match: after

os configuration:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

logs sample

ERROR 2016-06-08 15:24:15,132 - Checking java processes failed
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ambari_agent/", line 212, in javaProcs
    cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read()
1 Like

Did you have a look here? In case you have ERROR on each new multiline, you could go for checking for ERROR.

home come you opted for ^\[ as your regex pattern? If log levels are known you can try:

pattern: 'ERROR|INFO|DEBUG|WARN' with negate:true and so on. Alternatively (if it's just stack traces) try
pattern: '^Traceback|^[[:space:]]+' with negate: false.

Here is some test script (click run button):

Don't use single events when testing multiline (or reporting issues). Adding additional potential logs can change the required pattern.


This topic was automatically closed after 21 days. New replies are no longer allowed.