Parsing python traceback in multiline mode

Elastic Stack Beats
1

Hi, maybe someone had a problem parsing the logs, where there is a python stacktrace.
What should be the regex pattern

filebeat configuration:

 multiline:
        pattern: ^\[
        negate: false
        match: after

os configuration:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

logs sample

ERROR 2016-06-08 15:24:15,132 HostInfo.py:229 - Checking java processes failed
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ambari_agent/HostInfo.py", line 212, in javaProcs
    cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read()
1 Like
2

Did you have a look here? https://www.elastic.co/guide/en/beats/filebeat/1.2/configuration-filebeat-options.html#multiline In case you have ERROR on each new multiline, you could go for checking for ERROR.

3

home come you opted for ^\[ as your regex pattern? If log levels are known you can try:

pattern: 'ERROR|INFO|DEBUG|WARN' with negate:true and so on. Alternatively (if it's just stack traces) try
pattern: '^Traceback|^[[:space:]]+' with negate: false.

Here is some test script (click run button): https://play.golang.org/p/S6cvSTu-on

Don't use single events when testing multiline (or reporting issues). Adding additional potential logs can change the required pattern.

2 Likes
4

This topic was automatically closed after 21 days. New replies are no longer allowed.