我的日志文件中有多种(三种)日志。其中一种类型有一些自己的打印+异常堆栈跟踪。下面列出了这个例子:
Multiple lines example:
2018-04-27 10:53:17 [http-nio-8088-exec-4] - ERROR - app-info-exception-info - params:{"cardid":"111111111","txamt":10,"ip":"192.168.16.89","stationcode":"0002","inputuserid":1,"organcode":"99999"} java.lang.NullPointerException: null
at com.datalook.group.BusinessHandler.handler(BusinessHandler.java:93) ~[classes/:?]
at com.datalook.group.BusinessGroupController.businessGroup(BusinessGroupController.java:51) [classes/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_77]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_77]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_77]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_77]
我有解析它的模式,它是:
#pattern:
(?<timestamp>[\d\-\s\:]+)\s\[(?<threadname>[\w\-\d]+)\]\s-\s(?<loglevel>[\w]+)\s\-\s(?<appinfo>app-info-exception-info)\s-\s(?<params>params):(?<jsonstr>[\"\w\d\,\:\.\{\}]+)\s(?<exceptionname>[\w\d\.]+Exception):\s(?<exceptiondetail>[\w\d\.]+)\n\t(?<extralines>at[\s\w\.\d\~\?\n\t\(\)\_\[\]\/\:\-]+)\n
在解析多行异常堆栈跟踪时,模式有错误(实际上不是错误,但不是全部解析或按预期解析),主要是最后两部分(exceptiondetail(在本例中为null)和extralines(以空格或制表符开头的那些行)加上&#39; at&#39;,或第一行堆栈跟踪后的行))。还有比我更好的主意吗?
在filebeat.yml中,我有以下配置:
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
multiline.pattern: '^[[:space:]]'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: false
multiline.match: after
有什么想法改进解析多行(异常堆栈跟踪)?
答案 0 :(得分:3)
如何让它变得更简单?使用at将额外数据(所有行以GREEDYDATA开头)分配到(?m)到一个字段?
例如,如果这是您的日志,
2018-04-27 10:53:17 [http-nio-8088-exec-4] - ERROR - app-info-exception-info - params:{"cardid":"111111111","txamt":10,"ip":"192.168.16.89","stationcode":"0002","inputuserid":1,"organcode":"99999"} java.lang.NullPointerException: null
at com.datalook.group.BusinessHandler.handler(BusinessHandler.java:93) ~[classes/:?]
at com.datalook.group.BusinessGroupController.businessGroup(BusinessGroupController.java:51) [classes/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_77]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_77]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_77]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_77]
您可以将其解析为,
%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:threadname}\] - %{LOGLEVEL:loglevel} - app-info-exception-info - params:%{SPACE}\{\"%{DATA:jsondata}\"\} %{DATA:excentionname}: %{DATA:exceptiondetail}\n(?m)%{GREEDYDATA:extralines}
将输出,
{
"timestamp": [
[
"2018-04-27 10:53:17"
]
],
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"04"
]
],
"MONTHDAY": [
[
"27"
]
],
"HOUR": [
[
"10",
null
]
],
"MINUTE": [
[
"53",
null
]
],
"SECOND": [
[
"17"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"threadname": [
[
"http-nio-8088-exec-4"
]
],
"loglevel": [
[
"ERROR"
]
],
"SPACE": [
[
""
]
],
"jsondata": [
[
"cardid":"111111111","txamt":10,"ip":"192.168.16.89","stationcode":"0002","inputuserid":1,"organcode":"99999"
]
],
"excentionname": [
[
"java.lang.NullPointerException"
]
],
"exceptiondetail": [
[
"null"
]
],
"extralines": [
[
" at com.datalook.group.BusinessHandler.handler(BusinessHandler.java:93) ~[classes/:?]\n at com.datalook.group.BusinessGroupController.businessGroup(BusinessGroupController.java:51) [classes/:?]\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_77]\n at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_77]\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_77]\n at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_77]"
]
]
}
您可以将(?m)替换为%{SPACE},以便将以at开头的每一行划分到自己的字段中。
答案 1 :(得分:0)
我认为你可以这样做,并告诉每一个新行都将以时间戳开头:
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after