user1137582 user1137582 - 2 months ago 16
Java Question

Take out the first line of a field and add it as a new field in Logstash 1.4.0

I have my ELK stack configured and running using log4j and everything is working fine. What I would like to be able to do is group all exceptions by their type, for example - create a terms graph and have a term for each exception type like FileNotFound, NullPointerException and so on. I already have a stack_trace field which includes the exception type at the first line, and then the complete stack trace. I found something online like this:

filter{
mutate {
gsub => [
"stack_trace", "\n.*", ""
]
}
}


but this would just override the stack_trace field with it's first line, which is not what I want. I want to add a new field that takes out the first line, the exception type, of the stack_trace field.

Answer

Make a copy of the stack trace field and perform your gsub on that

filter{
  mutate {
    add_field => { 
      "exception" => "%{stack_trace}" 
    }
  }
  mutate {
    gsub => [
      "exception", "\n.*", ""
    ]
  }
}

EDIT: Thanks to @Alpha for pointing out this question, you may need to use two separate mutates.