Filter 如何获取与'；n'；使用logstash从日志中提取时间

我有一个日志跟踪，我试图从中获取一组与我的grok匹配的行

在此处输入代码

日志：

CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "getCustomerDashBoardCVAHistoricalDataRequestCount" on bean "BeanId(cva-admin-ear#vis-ejb-cva-4.20.0.0-SNAPSHOT.jar#CustomerDashboardServiceBean, null)". Exception data: java.lang.RuntimeException: com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is com.ibm.websphere.ejbcontainer.AmbiguousEJBReferenceException: The short-form default binding 'za.co.sb.archiving.midtier.ejb.HistoricalDataRequestBusinessServiceRemote' is ambiguous because multiple beans implement the interface : [channel-frontendEAR#channel-biz-ejb-3-4.20.0.0-SNAPSHOT.jar#HistoricalDataRequestBusinessServiceBean, nbol-rest-0_0_1-20150729_102930-10_war#nbol-rest-0.0.1-20150729.102930-10.war#HistoricalDataRequestBusinessServiceBean]. Provide an interface specific binding or use the long-form default binding on lookup.]
    at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getRequestBusinessService(CustomerDashboardVisServicePojo.java:355)
    at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getHistoricalDataRequestCount(CustomerDashboardVisServicePojo.java:282)
    at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getCustomerDashBoardHistoricalDataRequestCount(CustomerDashboardVisServicePojo.java:249)
    at za.co.sb.channel.cva.customerdashboard.midtier.ejb.CustomerDashboardServiceBean.getCustomerDashBoardCVAHistoricalDataRequestCount(CustomerDashboardServiceBean.java:49)
    at za.co.sb.channel.cva.customerdashboard.midtier.ejb.EJSLocal0SLCustomerDashboardServiceBean_7d8a7f63.getCustomerDashBoardCVAHistoricalDataRequestCount(EJSLocal0SLCustomerDashboardServiceBean_7d8a7f63.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at za.co.sb.midtier.processservice.ProcessServiceImpl.callService(ProcessServiceImpl.java:770)
    at za.co.sb.midtier.processservice.ProcessServiceImpl.retrieveResultData(ProcessServiceImpl.java:1151)
    at za.co.sb.midtier.processservice.ProcessServiceImpl.process(ProcessServiceImpl.java:248)
    at za.co.sb.midtier.processservice.ProcessServiceBean.process(ProcessServiceBean.java:63)
    at za.co.sb.midtier.processservice.EJSRemote0SLCustomerAdminProcessService_450d08b4.process(EJSRemote0SLCustomerAdminProcessService_450d08b4.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Caused by: com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is com.ibm.websphere.ejbcontainer.AmbiguousEJBReferenceException: The short-form default binding 'za.co.sb.archiving.midtier.ejb.HistoricalDataRequestBusinessServiceRemote' is ambiguous because multiple beans implement the interface : [channel-frontendEAR#channel-biz-ejb-3-4.20.0.0-SNAPSHOT.jar#HistoricalDataRequestBusinessServiceBean, nbol-rest-0_0_1-20150729_102930-10_war#nbol-rest-0.0.1-20150729.102930-10.war#HistoricalDataRequestBusinessServiceBean]. Provide an interface specific binding or use the long-form default binding on lookup.]
    at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:1103)
    at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:796)
    at com.ibm.ws.naming.jndicos.CNContextImpl.processBoundObjectForLookup(CNContextImpl.java:2876)
    at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:3973)
    at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1875)
    at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1776)
    at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1433)
    at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:615)
    at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:165)
    at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:179)
    at org.apache.aries.jndi.DelegateContext.lookup(DelegateContext.java:161)
    at

Grok模式：CUSTOM_ZACOSB（？:\A*at za.co.sb.{5}？）

在过滤器中的用法：

grok{
    match => ["ParseContent","%{CUSTOM_ZACOSB:ProjectLocation}"]
    add_tag => "ProjectLocation"
}

输出：“项目位置”=>“在za.co.sb.chan”

预期产出：

at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getRequestBusinessService(CustomerDashboardVisServicePojo.java:355)
    at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getHistoricalDataRequestCount(CustomerDashboardVisServicePojo.java:282)
    at za.co.sb.channel.cva.customerdashboard.midtier.pojo.CustomerDashboardVisServicePojo.getCustomerDashBoardHistoricalDataRequestCount(CustomerDashboardVisServicePojo.java:249)
    at za.co.sb.channel.cva.customerdashboard.midtier.ejb.CustomerDashboardServiceBean.getCustomerDashBoardCVAHistoricalDataRequestCount(CustomerDashboardServiceBean.java:49)
    at za.co.sb.channel.cva.customerdashboard.midtier.ejb.EJSLocal0SLCustomerDashboardServiceBean_7d8a7f63.getCustomerDashBoardCVAHistoricalDataRequestCount(EJSLocal0SLCustomerDashboardServiceBean_7d8a7f63.java)

---

有人能指出我犯了什么错误吗。这会有很大的帮助。我只想要那五行而不是其余的，我的过滤器能够找到内容，但它不会走得更远。如果我修改它捕获整个日志，这是我不想要的。

看起来您没有将多行stacktrace滚动到单个消息中，以便logstash处理。Filebeat和logstash都具有多行功能。一旦你有了一条消息，你就可以调整你的regexp了。

Im使用以下多行：multiline{pattern=>“[%{DATE}”negate=>true what=>“previous”}那么我们应该为上面添加另一条多行吗？如果这样做不会影响前面的多行配置吗？{5}意味着“5个字符”。此模式将获得一整行：（？：at za.co.sb[^]），但在上面使用{5}并不能获得五。。。