Hey,
I’m using the following pattern to capture multiline java exceptions:
^[[:space:]]+(at|.{3})[[:space:]]+\b|^Caused by:|^[a-zA-Z].[a-zA-Z].[a-zA-Z]*:
This is basically the default expression to capture java multiline exceptions provided by elastic. I’ve only added the last group (yea, I’m a noob :P) to capture the line after the log is printed.
I’ve run the pattern and an example exception against the elastic go-playground (https://play.golang.org/p/uAd5XHxscu):
Sample Exception
2020-08-05 09:19:00,723 ERROR ARGH WE GOIN DOWN
java.sql.SQLException: No suitable driver found
at java.sql.DriverManager.getConnection(DriverManager.java:689) ~[na:1.8.0_252]
at java.sql.DriverManager.getConnection(DriverManager.java:270) ~[na:1.8.0_252]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-4.3.14.RELEASE.jar:4.3.14.RELEASE]
Caused By: EXCEPTION
Playground Results
matches line
false 2020-08-05 09:19:00,723 ERROR ARGH WE GOIN DOWN
true java.sql.SQLException: No suitable driver found
true at java.sql.DriverManager.getConnection(DriverManager.java:689) ~[na:1.8.0_252]
true at java.sql.DriverManager.getConnection(DriverManager.java:270) ~[na:1.8.0_252]
true at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-
core-4.3.14.RELEASE.jar:4.3.14.RELEASE]
true Caused By: EXCEPTION
So this seems to be working?
When checking graylog though, I’m getting a seperate log for each line…
Sidecar-Config:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["xxxxxxx:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- TAG
filebeat.inputs:
- type: log
enabled: true
paths:
- xxxxxxx
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:|^[a-zA-Z]*.[a-zA-Z]*.[a-zA-Z]*:'
multiline.negate: false
multiline.match: after
Any hints on what I might be doing wrong?