Ruby Code in Logstash to extract specific line

vikramaddagulla · April 23, 2020, 5:57am

Hello,

I have a java stack error message and I would like to extract "Caused by" line from the full error message.

I had followed the instructions stated in the below post :

I was able to achieve the results but with a minor issue :

The line that I want to print is :

java.lang.ClassCastException: weblogic.jms.common.DestinationImpl cannot be cast to javax.jms.ConnectionFactory

However the line being extracted is :

java.lang.ClassCastException

I know something needs to be changed in the below code. But I have no knowledge on ruby...Suggestions please...

The ruby code used is :

ruby {
code => "
s = event.get('logmessage')
r = s.scan(/Caused By: ([^:]+):/)
r = r.flatten
event.set('causedby', r.join('/'))
"
}

Badger · April 23, 2020, 4:38pm

That searches for "Caused By" followed by a colon and a space, then captures one or more characters that are not a colon. Since java.lang.ClassCastException is followed by a colon that is where it stops. You have not shown us what the logmessage field looks like so we cannot tell what should replace the ([^:]+): It might be ([^\n]+) or it might be (.*)$

vikramaddagulla · April 24, 2020, 5:15am

Hello

My log stack will look like the below ;

at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:617)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:397)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)

Caused by: java.sql.SQLException: ORA-24776: cannot start a new transaction

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:466)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:399)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:391)
at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:1126)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:546)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:269)

I would like to extract :
java.sql.SQLException: ORA-24776: cannot start a new transaction

vikramaddagulla · April 24, 2020, 5:28am

Please suggest if this is correct ?

Caused by: ([^\n]+)

Also, please suggest how can I make Caused By case insensitive ?

Because I observed that the log sometimes writes as Caused By and sometimes as Caused by

vikramaddagulla · April 24, 2020, 5:47am

I have used https://rubular.com/ and came up with the below expression :

r = s.scan(/Caused [bB]y: ([^\n]+)/)

I think this will work. I will test this and confirm.

Please suggest if any changes needed.

system · May 22, 2020, 5:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.