Problem with java stacktaces

Elastic Stack Beats
1

Hello,
there is possibility to join java error stacktrace to above log line?

2018-06-26%2012_17_15
2018-06-26 12_17_15.png1629×672 76.1 KB

I'm totally don't know what i need to change. Below is my configuration of multiline codec from filebeat.yml and also grok filter from logstash

filebeat.yml

filebeat.prospectors:
    - 
      paths:
        - D:\Programs\jboss-eap-7.0\lines\line-AMDEV\log\saso-core-test-pl.log
      tags:   ["DEV PLD PL"]
      multiline.pattern: '^[[:space:]]+(org|\.{3})\b|^Caused by:'
      multiline.negate: false
      multiline.match: after

logstash conf file

        filter {
        	
        	grok {
        			match => {"message" => "(?<log_timestamp>%{YEAR}-%{MONTHNUM2}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND},%{NONNEGINT})\] %{LOGLEVEL:loglevel} * \[(?<logger>[A-Za-z0-9$_.]+)\] \(%{JAVAFILE:class}:%{NONNEGINT:line}\) \[(?<thread>.*)\] \{(?<MDC>.*)\}: %{GREEDYDATA:log_message}"}
        		}
        	
        	date {
        		match => [ "log_timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
        		target => "@timestamp"
        		timezone => "UTC"
        	}
        		
        	mutate {
        		remove_tag => ["beats_input_codec_plain_applied"]
        		remove_field => "timestamp"
        	}

        }

I'm really want to understand what is wrong with my configuration... :frowning:

2

Hello @Kubson in our documentation we do provide a configuration to join java stack trace on Filebeat. The pattern should work in your case since new statement always starts with [, after your grok should work with the merged data.

multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
1 Like
3

Hello @pierhugues, thank a lot. After few tests is works like it is described in documentation. I used this configuration before but it didn't worked, maybe i've made a small misspelling. Anyway thanks again.

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.