Question

我试图找出下面日志文件的grok模式。它包含1行成功日志和1个警告日志条目。

2016-09-03T12:53:31-04:00   DEV SampleFileService   INFO    512132:414618:SampleFileService-2-FTS   EXECUTING: Error Handling Client Request started

2016-09-03T12:53:31-04:00   DEV SampleFileService   WARNING 512133:414618:SampleFileService-2-FTS   ERROR: Error while sending ErrorHandler request to IEHS Queue: test.queue.publish
Retry count 1 of 3, 
Error: 
<ns0:ErrorReport xmlns:ns0="http://www.tibco.com/pe/EngineTypes">
    <StackTrace>Job-414618 Error in [Process-Path!!]
There was an unexpected error while sending a message.
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source)
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source)
    at com.tibco.plugin.jms.JMSAbstractTransmitActivity.eval(Unknown Source)
    at com.tibco.pe.plugin.Activity.eval(Unknown Source)
    at com.tibco.pe.core.TaskImpl.eval(Unknown Source)
    at com.tibco.pe.core.Job.a(Unknown Source)
    at com.tibco.pe.core.Job.k(Unknown Source)
    at com.tibco.pe.core.JobDispatcher$JobCourier.a(Unknown Source)
    at com.tibco.pe.core.JobDispatcher$JobCourier.run(Unknown Source)
caused by: com.tibco.plugin.share.jms.impl.JMSExceptionWrapper: javax.jms.JMSException: Failure storing message
    at com.tibco.plugin.share.jms.impl.JMSPluginException.&lt;init&gt;(Unknown Source)
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source)
    at com.tibco.plugin.share.jms.impl.JMSSender.send(Unknown Source)
    at com.tibco.plugin.jms.JMSAbstractTransmitActivity.eval(Unknown Source)
    at com.tibco.pe.plugin.Activity.eval(Unknown Source)
    at com.tibco.pe.core.TaskImpl.eval(Unknown Source)
    at com.tibco.pe.core.Job.a(Unknown Source)
    at com.tibco.pe.core.Job.k(Unknown Source)
    at com.tibco.pe.core.JobDispatcher$JobCourier.a(Unknown Source)
    at com.tibco.pe.core.JobDispatcher$JobCourier.run(Unknown Source)
Caused by: javax.jms.JMSException: Failure storing message
    at com.tibco.tibjms.Tibjmsx.buildException(Tibjmsx.java:612)
    at com.tibco.tibjms.TibjmsxSessionImp._publish(TibjmsxSessionImp.java:1544)
    at com.tibco.tibjms.TibjmsMessageProducer._publish(TibjmsMessageProducer.java:246)
    at com.tibco.tibjms.TibjmsQueueSender.send(TibjmsQueueSender.java:74)
    ... 9 more
</StackTrace>
    <Msg>There was an unexpected error while sending a message.</Msg>
    <FullClass>com.tibco.plugin.share.jms.impl.JMSPluginException</FullClass>
    <Class>JMSPluginException</Class>
    <ProcessStack>Stack-Path!!</ProcessStack>
    <MsgCode>BW-JMS-100039</MsgCode>
</ns0:ErrorReport>

Answer 1

您必须在输入中使用多行filter / codec，以便将所有消息组合在一起。两种情况下的配置都相同：

multiline {
  pattern => "%{TIMESTAMP_ISO8601}"
  negate => "true" 
  what => "previous"
}

这会将不以ISO 8601日期开头的行与前一行分组。因此，对于第二条消息，所有行都将在一起。

然后你可以使用这个grok模式：

grok {
  match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:env}%{SPACE}%{WORD:application}%{SPACE}%{WORD:level}%{SPACE}%{NOTSPACE:thread}%{SPACE}%{WORD:status}:%{SPACE}%{GREEDYDATA:message}" }
}

如何为此日志文件编写grok

1 个答案: