Skip to content

Instantly share code, notes, and snippets.

@untergeek

untergeek/logstash.conf

Created July 17, 2014 20:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save untergeek/6d1f4df1337c18dd3b0f to your computer and use it in GitHub Desktop.
Save untergeek/6d1f4df1337c18dd3b0f to your computer and use it in GitHub Desktop.
Download ZIP
grok rule oddity...
Raw
logstash.conf
input {
stdin {
type => "weblogic-server"
}
}
filter {
### weblogic-server
if [type] == "weblogic-server" {
multiline {
pattern => "^####"
negate => true
what => "previous"
}
grok {
match => [ "message", "%{WLLOG}" ]
patterns_dir => [ "/home/buh/ticket3545/patterns" ]
}
}
### End weblogic-server
### Date###
date {
match => [ "unixtimeplus3", "UNIX_MS" ]
}
}
output {
stdout{codec => rubydebug}
}
Raw
pattern.grok
WLHOUR (?:2[0123]|[01]?[0-9])
WLDATENOTZ %{MONTH} %{MONTHDAY}, %{YEAR} %{WLHOUR}:%{MINUTE}:%{SECOND} %{WORD:ampm}
WLDATE %{MONTH} %{MONTHDAY}, %{YEAR} %{WLHOUR}:%{MINUTE}:%{SECOND} %{WORD:ampm} %{NOTSPACE:timezone}
WLTIMESTAMP <%{WLDATENOTZ:timestamp} %{NOTSPACE:timezone}>
WLPRIORITY \<%{WORD:priority}\>
WLINTAPP \<%{DATA:internalapp}\>
WLHOST \<(?:%{IPORHOST:hostname}?)\>
WLJVMNAME \<(?:%{NOTSPACE:jvmname}?)\>
WLCODE %{NOTSPACE:weblogiccode}
WLTHREAD \<%{DATA:thread}\>
WLPROCESS \<(?:\<?)%{DATA:process}(?:\>?)\>
WLDATA \<(?:%{DATA})\>
WLUNIXTIME \<%{POSINT:unixtimeplus3}\>
WLMESSAGE %{GREEDYDATA:logmessage}
WLLOG ####%{WLTIMESTAMP} %{WLPRIORITY} %{WLINTAPP} %{WLHOST} %{WLJVMNAME} %{WLTHREAD} %{WLPROCESS} (?:\<\>|%{WLDATA:somedata}) (?:\<\>|%{WLDATA:moredata}) %{WLUNIXTIME} <%{WLCODE}> %{WLMESSAGE}
Raw
shell.output
$ bin/logstash -f ~/ticket3545/l.conf
####<Jul 3, 2014 3:16:15 PM CDT> <Error> <HTTP> <patt53> <patt53_7414> <[ACTIVE] ExecuteThread: '164' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1404418575265> <BEA-101017> <[ServletContext@926964577[app:SMP module:/morse path:/morse spec-version:2.5]] Root cause of ServletException.
java.lang.OutOfMemoryError: Java heap space
>
####<Jul 3, 2014 3:16:15 PM CDT> <Error> <HTTP> <patt53> <patt53_7414> <[ACTIVE] ExecuteThread: '164' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1404418575265> <BEA-101017> <[ServletContext@926964577[app:SMP module:/morse path:/morse spec-version:2.5]] Root cause of ServletException.
java.lang.OutOfMemoryError: Java heap space
>
{
"message" => "####<Jul 3, 2014 3:16:15 PM CDT> <Error> <HTTP> <patt53> <patt53_7414> <[ACTIVE] ExecuteThread: '164' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1404418575265> <BEA-101017> <[ServletContext@926964577[app:SMP module:/morse path:/morse spec-version:2.5]] Root cause of ServletException.\n\njava.lang.OutOfMemoryError: Java heap space\n>",
"@version" => "1",
"@timestamp" => "2014-07-03T20:16:15.265Z",
"type" => "weblogic-server",
"gmtoffset" => "-0500",
"host" => "BigMini",
"tags" => [
[0] "multiline"
],
"timestamp" => "Jul 3, 2014 3:16:15 PM",
"ampm" => "PM",
"timezone" => "CDT",
"priority" => "Error",
"internalapp" => "HTTP",
"hostname" => "patt53",
"jvmname" => "patt53_7414",
"thread" => "[ACTIVE] ExecuteThread: '164' for queue: 'weblogic.kernel.Default (self-tuning)'",
"process" => "WLS Kernel",
"unixtimeplus3" => "1404418575265",
"weblogiccode" => "BEA-101017",
"logmessage" => "<[ServletContext@926964577[app:SMP module:/morse path:/morse spec-version:2.5]] Root cause of ServletException."
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment