thread 10889/0x2a89 and some other processbufferprocessor threads comsume too much CPU continuously. And process buffer is full.
Graylog Version: Graylog 2.2.3+7adc951 (Oracle Corporation 1.8.0_60 on Linux 3.10.0-229.el7.x86_64)
[1] Busy(12.7%) thread(10889/0x2a89) stack of java process(10792) under user(root):
"processbufferprocessor-4" #50 prio=5 os_prio=0 tid=0x00007f5c493f5000 nid=0x2a89 runnable [0x00007f5bbdee8000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3797)
at java.util.regex.Pattern$Curly.match0(Pattern.java:4272)
at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
at java.util.regex.Pattern$Start.match(Pattern.java:3461)
at java.util.regex.Matcher.search(Matcher.java:1248)
at java.util.regex.Matcher.find(Matcher.java:637)
at com.google.code.regexp.Matcher.find(Unknown Source)
at oi.thekraken.grok.api.Grok.match(Grok.java:311)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:65)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34)
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63)
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:372)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:359)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:302)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:264)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:144)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:100)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:119)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:105)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:82)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
at java.lang.Thread.run(Thread.java:745)
[2] Busy(12.4%) thread(10899/0x2a93) stack of java process(10792) under user(root):
"processbufferprocessor-14" #60 prio=5 os_prio=0 tid=0x00007f5c49349000 nid=0x2a93 runnable [0x00007f5bbd4de000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3776)
at java.util.regex.Pattern$Curly.match0(Pattern.java:4260)
at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
at java.util.regex.Pattern$Start.match(Pattern.java:3461)
at java.util.regex.Matcher.search(Matcher.java:1248)
at java.util.regex.Matcher.find(Matcher.java:637)
at com.google.code.regexp.Matcher.find(Unknown Source)
at oi.thekraken.grok.api.Grok.match(Grok.java:311)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:65)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34)
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63)
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:372)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:359)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:302)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:264)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:144)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:100)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:119)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:105)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:82)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
at java.lang.Thread.run(Thread.java:745)
[3] Busy(12.3%) thread(10895/0x2a8f) stack of java process(10792) under user(root):
"processbufferprocessor-10" #56 prio=5 os_prio=0 tid=0x00007f5c48488800 nid=0x2a8f runnable [0x00007f5bbd8e3000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$Curly.match0(Pattern.java:4260)
at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
at java.util.regex.Pattern$Start.match(Pattern.java:3461)
at java.util.regex.Matcher.search(Matcher.java:1248)
at java.util.regex.Matcher.find(Matcher.java:637)
at com.google.code.regexp.Matcher.find(Unknown Source)
at oi.thekraken.grok.api.Grok.match(Grok.java:311)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:65)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34)
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63)
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:372)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:359)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:302)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:264)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:144)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:100)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:119)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:105)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:82)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
at java.lang.Thread.run(Thread.java:745)
[4] Busy(12.3%) thread(10893/0x2a8d) stack of java process(10792) under user(root):
"processbufferprocessor-8" #54 prio=5 os_prio=0 tid=0x00007f5c48484800 nid=0x2a8d runnable [0x00007f5bbdae4000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3797)
at java.util.regex.Pattern$Curly.match0(Pattern.java:4272)
at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
at java.util.regex.Pattern$Start.match(Pattern.java:3461)
at java.util.regex.Matcher.search(Matcher.java:1248)
at java.util.regex.Matcher.find(Matcher.java:637)
at com.google.code.regexp.Matcher.find(Unknown Source)
at oi.thekraken.grok.api.Grok.match(Grok.java:311)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:65)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34)
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63)
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:372)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:359)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:302)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:264)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:144)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:100)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:119)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:105)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:82)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
at java.lang.Thread.run(Thread.java:745)
[5] Busy(12.3%) thread(10891/0x2a8b) stack of java process(10792) under user(root):
"processbufferprocessor-6" #52 prio=5 os_prio=0 tid=0x00007f5c493f8800 nid=0x2a8b runnable [0x00007f5bbdce6000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3776)
at java.util.regex.Pattern$Curly.match0(Pattern.java:4260)
at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
at java.util.regex.Pattern$Start.match(Pattern.java:3461)
at java.util.regex.Matcher.search(Matcher.java:1248)
at java.util.regex.Matcher.find(Matcher.java:637)
at com.google.code.regexp.Matcher.find(Unknown Source)
at oi.thekraken.grok.api.Grok.match(Grok.java:311)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:65)
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34)
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63)
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33)
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:372)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:359)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:302)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:264)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:144)
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:100)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:119)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:105)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:82)
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
at java.lang.Thread.run(Thread.java:745)
graylog’s log is here:
2017-10-23 10:28:59,910 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Node <79ee427e-1229-46a0-8de5-1a2fef592362> not found while trying to call org.graylog2.shared.rest.resources.system.RemoteMetricsResource on it.
2017-10-23 10:29:07,019 INFO : org.elasticsearch.monitor.jvm - [graylog-79ee427e-1229-46a0-8de5-1a2fef592362] [gc][old][236585][6513] duration [5.7s], collections [1]/[6.2s], total [5.7s]/[42.6m], memory [1.8gb]->[1.7gb]/[1.9gb], all_pools {[young] [819.2mb]->[764.9mb]/[819.2mb]}{[survivor] [73.7mb]->[0b]/[102.3mb]}{[old] [1023.9mb]->[1023.9mb]/[1gb]}
2017-10-23 10:29:07,033 WARN : org.graylog2.periodical.NodePingThread - Did not find meta info of this node. Re-registering.
2017-10-23 10:29:11,899 WARN : org.graylog2.periodical.NodePingThread - Did not find meta info of this node. Re-registering.
2017-10-23 10:29:17,969 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Node <79ee427e-1229-46a0-8de5-1a2fef592362> not found while trying to call org.graylog2.shared.rest.resources.system.RemoteMetricsResource on it.
2017-10-23 10:29:18,147 WARN : org.graylog2.periodical.NodePingThread - Did not find meta info of this node. Re-registering.
2017-10-23 10:29:23,100 WARN : org.graylog2.periodical.NodePingThread - Did not find meta info of this node. Re-registering.
Rules:
rule "add app_host"
when
has_field("message") AND to_string($message.app_name) == "contract"
then
set_field("app_host", to_string($message.source));
end
rule "ngx_log"
when
to_string($message.app_loglevel) == "ACCESS"
then
let r = grok("%{IPORHOST:http_clientip}\t%{HTTPDATE:http_timestamp}\t%{WORD:http_method}\t%{IPORHOST:http_host}(?::%{NUMBER}|)\t%{NUMBER:http_port}\t(:?%{IPORHOST:http_upstream_ip}:%{POSINT:http_upstream_port}|-|)(\t|)%{URIPATH:http_uri}(?:%{GREEDYDATA:http_param})?\tHTTP/%{NUMBER:http_protocol}\t%{NUMBER:http_status}\t%{NUMBER:http_content_length}\t(?:%{GREEDYDATA:http_referer}|-)\tUA:%{GREEDYDATA:http_user_agent}\t(:?%{GREEDYDATA:http_xforwardedfor}|-|)\t%{NUMBER:http_request_duration}\t(:?%{NUMBER:http_upstream_request_duration}|-)",to_string($message.message));
set_field("http_clientip",r.http_clientip);
set_field("http_timestamp",r.http_timestamp);
set_field("http_method",r.http_method);
set_field("http_host",r.http_host);
set_field("http_port",r.http_port);
set_field("http_upstream_ip",r.http_upstream_ip);
set_field("http_upstream_port",r.http_upstream_port);
set_field("http_uri",r.http_uri);
set_field("http_param",r.http_param);
set_field("http_protocol",r.http_protocol);
set_field("http_status",r.http_status);
set_field("http_content_length",r.http_content_length);
set_field("http_referer",r.http_referer);
set_field("http_user_agent",r.http_user_agent);
set_field("http_xforwardedfor",r.http_xforwardedfor);
set_field("http_request_duration",r.http_request_duration);
set_field("http_upstream_request_duration",r.http_upstream_request_duration);
end