Search code examples
logstashelastic-stacklogstash-grok

Logstash Grok overwrite not working

I have the following logstash grok statements that should run if the field contains a string "Caused" in which case a different pattern is applied to it and it is overwritten but for some reason it does work. The regex patterns definitely work individually and the issue is in the the logic below. Any help appreciated, thanks

grok {
        patterns_dir => ["./patterns"]
        match => ["message", "%{GREEDYDATA}\n%{JAVA_EXCEPTION_SHORT:exception}"]
}

if [exception] =~ "Caused" {
         grok {
            patterns_dir => ["./patterns"]
            match => ["exception", "{JAVA_EXCEPTION_LONG:exception}"]
            overwrite => ["exception"]
        }
}

Custom Patterns:

JAVA_EXCEPTION_LONG (?<=^Caused by: ).*?Exception
JAVA_EXCEPTION_SHORT ^.+Exception

Example log message:

2016-11-15 05:19:28,801 ERROR [App-Initialisation-Thread] appengine.java:520 Failed to initialize external authenticator myapp Support Access || appuser@vm23-13:/mnt/data/install/assembly app-1.4.12@cad85b224cce11eb5defa126030f21fa867b0dad
java.lang.IllegalArgumentException: Could not check if provided root is a directory
    at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:67)
    at com.myapp.io.AbstractRootPrefixedFileSystem.<init>(AbstractRootPrefixedFileSystem.java:30)
    at com.myapp.io.s3.S3FileSystem.<init>(S3FileSystem.java:32)
    at com.myapp.io.s3.S3FileSystemDriver.loadFileSystem(S3FileSystemDriver.java:60)
    at com.myapp.io.FileSystems.getFileSystem(FileSystems.java:55)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.initializeCloudFS(S3LdapConfigProvider.java:77)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.loadS3Config(S3LdapConfigProvider.java:51)
    at com.myapp.authentication.ldap.S3LdapConfigProvider.getLdapConfig(S3LdapConfigProvider.java:42)
    at com.myapp.authentication.ldap.DelegatingLdapConfigProvider.getLdapConfig(DelegatingLdapConfigProvider.java:45)
    at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:28)
    at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:10)
    at com.myapp.frob.appengine.getExternalAuthenticators(appengine.java:516)
    at com.myapp.frob.appengine.startUp(appengine.java:871)
    at com.myapp.frob.appengine.startUp(appengine.java:754)
    at com.myapp.jsp.KewServeInitContextListener$1.run(QServerInitContextListener.java:104)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: fh-ldap-config/
    at com.upplication.s3fs.util.S3Utils.getS3ObjectSummary(S3Utils.java:55)
    at com.upplication.s3fs.util.S3Utils.getS3FileAttributes(S3Utils.java:64)
    at com.upplication.s3fs.S3FileSystemProvider.readAttributes(S3FileSystemProvider.java:463)
    at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:61)
Solution

  • The grok filter fails because you're missing a % in this line:

    match => ["exception", "{JAVA_EXCEPTION_LONG:exception}"]

    It should look like this: 

    match => ["exception", "%{JAVA_EXCEPTION_LONG:exception}"]

    Since the parsing failed, the field exception was not overwritten.