Wednesday, June 24, 2015

Example Logstash config to parse Java / Scala multiline logs (e.g. stacktraces) into ES


Java/Scala stack traces are multiline and usually it have the message starting from

Any line which isn't starting with '[' will be joined into previous one having '[' at the beginning

E.g. this works with Logstash 1.4.0+:

if [type] == "app_logs" {
    multiline {
      pattern => "^[^\[]"
      what => "previous"
    }
    grok {
      match => { "message" => "\[(?<app_log_timestamp>.+)] \[%{WORD:app_name}\] \[(?<thread_name>.+)\] \[(?<class_name>.+)\] \[(?<marker>[a-zA-Z]*)\] \[(?<transaction_id>.*)\] \[%{WORD:log_level}\]: ?%{GREEDYDATA:msg}" }
    }
    date {
      match => ["app_log_timestamp", "MM/dd HH:mm:ss:SSS", "ISO8601"]
      target => "@timestamp"
      add_tag => [ "timestamp_updated_w_log_value" ]
      remove_field => [ "app_log_timestamp" ]
    }
}

This works for all Java multiline logs, the only rule is to not start multiline log newlines from '['.

Useful link: http://logstash.net/docs/1.4.0.rc1/filters/multiline

Also starting from Logstash 1.2 there is a 'multiline' codec (http://logstash.net/docs/1.2.2/codecs/multiline). But I didn't get it work properly with Logstash 1.4. What have I tried:

input {
  file {
      codec => multiline {
        pattern => "^\s"
        what => "previous"
      }
    ..... file path and so on
  }
}

What issue did I met with 'multiline' codec: Java stacktraces were parsed without the very first line. E.g. in ES I was getting:

java.lang.RuntimeException: Exception while executing statement : An I/O error occurred while sending to the backend. errorCode: 0, sqlState: 08006 at ... [other stacktrace lines omitted]

Instead of expected:

[06/24 16:43:51:393] [app_name] [pool-99-thread-999] [ClassName] [smth0] [bar] [ERROR]: Cannot load XXX java.lang.RuntimeException: Exception while executing statement : An I/O error occurred while sending to the backend. errorCode: 0, sqlState: 08006 at ... [other stacktrace lines omitted]

Posted by at No comments:

Wednesday, June 10, 2015

Script for Jenkins 'Total build status' job

Script for Jenkins 'Total build status' job which displays all failed jobs with last changes, committers and links to job's console. It will fail if at least one other Jenkins job is failed.

 Usage: 
- Create Jenkins Freestyle job
- Add this script as "Execute system Groovy script" build step 


Posted by at No comments:
Subscribe to: Posts (Atom)