0

Below is my config file:

filter {
if [type] == "syslog" {
     multiline {

            pattern => "^%{TIMESTAMP_ISO8601}"
            negate => true
            what => "previous"
            max_age => 7
            add_tag => [ "multiline" ]      }

    grok {
    break_on_match => false
    match => { "message" => "%{TIMESTAMP_ISO8601:logTime} %{LOGLEVEL:LogLevel} \[%{NOTSPACE:logClass}\] %{GREEDYDATA:LogMsg}" }
    match => ["message", "(.*Caused by: +%{GREEDYDATA:causedBy}$)?"]
         }
    date {
    match => [ "logTime" , "yyyyMMdd-HH:mm:ss.SSSZ", "ISO8601" ]
            timezone => "UTC"
   }
}
}

My logs :

2014-01-29 11:06:48,384 ERROR   [de.Fm.Radium.Thorium.server.bean3.vollinfo.VollinfoTransformer] A sequence of more than one item is not allowed as the third argument of c$
net.sf.saxon.trans.DynamicError: A sequence of more than one item is not allowed as the third argument of concat()
       at com.amazonaws.auth.AbstractAWSSigner.signAndBase64Encode(AbstractAWSSigner.java:71)
       at com.amazonaws.auth.AbstractAWSSigner.signAndBase64Encode(AbstractAWSSigner.java:71)
       at com.amazonaws.auth.AbstractAWSSigner.signAndBase64Encode(AbstractAWSSigner.java:71)
Caused by: com.amazonaws.AmazonClientException: Unable to calculate a request signature: Empty key
       at com.amazonaws.services.sqs.AmazonSQSClient.invoke(AmazonSQSClient.java:776)
       at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:170)
Caused by: com.amazonaws.AmazonClientException: Unable to calculate a request signature: Empty key
       at com.amazonaws.auth.AbstractAWSSigner.sign(AbstractAWSSigner.java:90)
       at com.amazonaws.auth.AbstractAWSSigner.signAndBase64Encode(AbstractAWSSigner.java:68)
2014-01-29 11:06:48,383 ERROR [stderr]   XPTY0004: A sequence of more than one item is not allowed as the third argument of concat()

What I need to capture is the whole line starting with 'Caused by' up to the line break. My Problem is ,I captur just the last one (Caused by)

baudsp
  • 4,076
  • 1
  • 17
  • 35
b.bab
  • 9
  • 3
  • Could you explain what you intend to do? And what's not working? – baudsp Oct 19 '16 at 12:59
  • I have my filter configured like this here: grok { break_on_match => false match => [ "message", "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:level} +\[%{DATA:java_class}\] +%{GREEDYDATA:meldung}$" ] match => [ "message", "(.*Caused by: +%{GREEDYDATA:causedBy}$)?" ] } – b.bab Oct 19 '16 at 14:06
  • my problem is, that my Grok-Filter take over only the Last Caused_by and ignore the others . – b.bab Oct 19 '16 at 14:08
  • What I need to capture is the whole line starting with 'Caused by' up to the line break – b.bab Oct 19 '16 at 14:13
  • I can't help you without any log examples, you should have added them when you asked the question. And the question is very poorly worded. – baudsp Oct 19 '16 at 14:25
  • I have mine example led there lied – b.bab Oct 19 '16 at 14:58
  • I have no idea why it does that. Sorry I can't help further – baudsp Oct 19 '16 at 15:04

0 Answers0