Logstash 匹配多行事件中第二行的字段(异常名称)
我有多行Log4J日志。第一行后面的行是可选的。第一行包含日志消息,之后是stacktrace。我想提取stacktrace上的顶级异常类名,它是第二行的第一部分。例如:Logstash 匹配多行事件中第二行的字段(异常名称),logstash,logstash-grok,Logstash,Logstash Grok,我有多行Log4J日志。第一行后面的行是可选的。第一行包含日志消息,之后是stacktrace。我想提取stacktrace上的顶级异常类名,它是第二行的第一部分。例如: 2016-01-18 13:19:34,812 [myScheduler-4] ERROR com.company.framework.service.notification.TriggerServiceImpl- Hibernate operation: could not load an entity: [com.com
2016-01-18 13:19:34,812 [myScheduler-4] ERROR com.company.framework.service.notification.TriggerServiceImpl- Hibernate operation: could not load an entity: [com.company.framework.pojo.jc3iedm.ReportingData#32300000000000565988];.
java.sql.SQLException: Connection has already been closed.
at org.apache.tomcat.jdbc.pool.ProxyConnection.invoke(ProxyConnection.java:118)
at com.sun.proxy.$Proxy47.prepareStatement(Unknown Source)
at org.hibernate.jdbc.AbstractBatcher.getPreparedStatement(AbstractBatcher.java:534)
LOG4J_DATESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})
LOG4J_LOG %{LOG4J_DATESTAMP:timestamp} \[%{GREEDYDATA:thread}\] {LOGLEVEL:level} %{JAVACLASS:class}\-%{SPACE}%{JAVALOGMESSAGE:logmessage}%{SPACE}(^%{JAVACLASS:exception})?
input {
file {
path => "D:/projects/ELK/localhost.log"
start_position => beginning
codec => multiline {
patterns_dir => "../patterns"
pattern => "^%{LOG4J_DATESTAMP}"
negate => true
what => "previous"
}
}
}
filter {
grok {
match => { "message" => "%{LOG4J_LOG}"}
}
}
output {
elasticsearch { }
}
JAVALOGMESSAGE(.*)伊尔哈米(ilhami)我成功率更高,在使用中看到的差异更少 我想到了:
LOG4J_LOG %{LOG4J_DATESTAMP:timestamp} \[(?<thread>[^\]]+)?\] %{LOGLEVEL:level} %{JAVACLASS:class} - (?<message>[^\r\n]+)((\r?\n)(?<extra>(.|\r?\n)+))?
LOG4J_LOG%{LOG4J_邮戳:时间戳}\[(?[^\]]+)?\]%{LOGLEVEL:level}%{JAVACLASS:class}-(?[^\r\n]+)(\r?\n)((?(.\r?\n)+)?