Why wouldn't logstash parse my java stacktrace

I have a Spring Boot application that can emits logs like this (java stacktrace)

2019-04-19 09:10:45.757 ERROR [discovery,,,] 1 --- [tbeatExecutor-0] com.netflix.discovery.DiscoveryClient    : DiscoveryClient_DISCOVERY/9c4a9274ab5f:discovery:8761 - was unable to send heartbeat!

com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server
	at com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:111) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.DiscoveryClient.renew(DiscoveryClient.java:815) ~[eureka-client-1.6.2.jar!/:1.6.2]
	at com.netflix.discovery.DiscoveryClient$HeartbeatThread.run(DiscoveryClient.java:1379) [eureka-client-1.6.2.jar!/:1.6.2]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_202]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_202]

I use ELK Stack to view these logs.
I can see events coming in Logstash by typing "docker logs logstash" (I running logstash in docker):
09:10:45.775 [[main]>worker7] DEBUG logstash.pipeline - filter received {"event"=>{"@timestamp"=>2019-04-19T09:10:45.769Z, "stream"=>"stdout", "port"=>36238, "@version"=>"1", "host"=>"172.18.0.3", "message"=>"\ncom.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server\n\tat com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:111) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.DiscoveryClient.renew(DiscoveryClient.java:815) ~[eureka-client-1.6.2.jar!/:1.6.2]\n\tat com.netflix.discovery.DiscoveryClient$HeartbeatThread.run(DiscoveryClient.java:1379) [eureka-client-1.6.2.jar!/:1.6.2]\n\tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]\n\tat java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_202]\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]\n\tat java.lang.Thread.run(Thread.java:748) [na:1.8.0_202]", "type"=>"logspout-logs-tcp", "docker"=>{"name"=>"/universign-ng_discovery-master2_1", "image"=>"universign/discovery-server:1.4-SNAPSHOT", "hostname"=>"9c4a9274ab5f", "id"=>"9c4a9274ab5fa643642d8804cd1d4e1629ac754e65367081f34a55a1d8eba1ae", "labels"=>nil}, "tags"=>["docker-universign-ng", "dev-dc0-lap-57.universign.net"]}}

I defined grok in logstash like this:

grok {
	match => {
		"message" => [
				"\n(?<log-exception>.*?Exception: .*+\n(\sat.*+\n)*+)"
		]
	}
}

But in Kibana I see that this log has a grokParseFailure, like this:

Capture d'écran de 2019-04-19 11-28-28.png1441×746 83.4 KB

So why can't logstash properly parse my java stacktrace ?

What do you expect .*+ to match?

I used this page to test logs against grok pattern, and it passed.

I expect .*+ to match all characters (except new line) after a cetrain word, like "at", "caused by" ...

• and * are both modifiers of the previous character. . matches any character, + says to match it one or more times, * says to match it zero or more times. So .* and .+ both make sense, but .*+ does not. I am not sure what it matches, but probably any group of characters followed by +

On the official page of logstash, it says that it uses oniguruma regex syntax, and *+ means possesive quantifier.

I stand corrected.

"\n(?<log-exception>.*?Exception: .+\n(\sat.*+\n)*+)"

works, although it does not capture the final line of the stack trace.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.