Stack-trace issue

vshivare · June 22, 2020, 7:01am

This is my json message:
{ "module":"MODULE",
"timeStamp":"Jun 22 12:20:46.785",
"containerId":INDLT1534",
"correlationId":"",
"level":"ERROR",
"logger":"c.m.r.HelloWorldService",
"message":"This is due to java.lang.ClassNotFoundException: com.org.sequent.tag
at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[?:1.8.0_161]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_161]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:338) ~[?:1.8.0_161]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_161]
at java.lang.Class.forName0(Native Method) ~[?:1.8.0_161]
at java.lang.Class.forName(Class.java:264) ~[?:1.8.0_161]
at com.mkyong.rest.HelloWorldService.main(HelloWorldService.java:19) [classes/:?]
",
"exception":" java.lang.ClassNotFoundException: com.org.sequent.tag
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:338)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at com.mkyong.rest.HelloWorldService.main(HelloWorldService.java:19)
"}

`Here is my logstash.conf file:`
input {
  tcp {
    port => 5120
    type => syslog
  }
  udp {
    port => 5120
    type => syslog
  }
}
filter {
  grok {
   match => { "message" => " {%{QS}:%{QS:module},%{QS}:%{QS:@timestamp},%{QS}:%{QS},%{QS:}:%{QS:correlationId},%{QS}:%{QS},%{QS}:%{QS},%{QS}:%{GREEDYDATA:message},%{QS}:%{QS}}" }
    overwrite => [ "message" ]
    named_captures_only => true
  }
}
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => line }
}

For normal logs this config is working fine but once get any error this is not working. It is creating separate entry for each line. I have tried to replace /n with " " but then logs are not readable.
Or if I replace /n with "[NEWLINE]", Is there any way on kibana to replace [NEWLINE] with actual newline only for display.

NerdSec · June 22, 2020, 7:43am

Hi Vishal,

Could you format the question to make it more readable?

vshivare · June 22, 2020, 8:19am

Please check now.

NerdSec · June 23, 2020, 1:21am

Thank you!

There is no way to replace a newline just for display in Kibana. The only way the parser can work is if you account for the newline using something like gsub, which I believe you have already tried.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-gsub

vshivare · June 23, 2020, 6:13am

So can we do any change in lostash.conf so that it will allow multline logs as one message?

NerdSec · June 23, 2020, 6:24am

Yes, you will have to replace the newline "/n" with a space using gsub mentioned earlier.

vshivare · June 23, 2020, 6:34am

but that message is not in readable format.

NerdSec · June 23, 2020, 6:51am

What do you mean by readable format? Could you show the message?

system · July 21, 2020, 6:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.