Hi,
I have few entries in log that looks like that:
I am trying to build a grok that will fits them all, but have a problem where the string is : Exception occurred in API invocation More that, I need to try and catch the CM1-000259 which is the error code.
The grok I started to build:
\<\<%{LOGLEVEL:severity}\>\> \[%{PARTTIMESTAMP:timestamp}\] \[\[%{DATA:status}\] %{DATA:exe_thread_details}\] \[%{DATA:application}\] \[%{DATA:user}\] \(%{JAVACLASS:class}\) %{WORD:exception_error} %{JAVAMETHOD:exception_method}
More that, I have various customized grok patterns:
WEBLOGICTIMESTAMP %{MONTH} %{MONTHDAY}, %{YEAR} %{TIME} %{DL}
WEBLOGICTIMESTAMP_TZ %{MONTH} %{MONTHDAY}, %{YEAR} %{TIME} %{DL} ?%{TZ}?
DL ([P|A]M]?)
J2ES_TIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}
TZ (?:[IPMCE][SD]T|UTC)
PARTTIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}
# Java
JAVACLASS (?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*
#Space is an allowed character to match special cases like 'Native Method' or 'Unknown Source'
JAVAFILE (?:[A-Za-z0-9_. -]+)
#Allow special <init>, <clinit> methods
JAVAMETHOD (?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
#Line number is optional in special cases 'Native method' or 'Unknown source'
JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
# Java Logs
JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
JAVALOGMESSAGE (.*)
The result I see in the grok debugger is:
{
"severity": [
[
"DEBUG"
]
],
"timestamp": [
[
"Feb 29 12:51:36"
]
],
"MONTH": [
[
"Feb"
]
],
"MONTHDAY": [
[
"29"
]
],
"TIME": [
[
"12:51:36"
]
],
"HOUR": [
[
"12"
]
],
"MINUTE": [
[
"51"
]
],
"SECOND": [
[
"36"
]
],
"status": [
[
"ACTIVE"
]
],
"exe_thread_details": [
[
"ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'"
]
],
"application": [
[
"CM"
]
],
"user": [
[
"ABPBatchUser"
]
],
"class": [
[
"BasicCustomizationProxy.logACMException"
]
],
"exception_error": [
[
"Exception"
]
],
"exception_method": [
[
"occurred"
]
]
}
Regards,
Sharon.