当前位置: 文江博客话题详情

Datadog Grok自定义Java堆栈解析和订购的列表字段

发布于 2025-01-28 03:07:41 字数 2890 浏览 2 评论 0原文

我在DataDog中的Grok Pipeline中有以下日志示例:

2022-05-10 11:26:58 [SEVERE]: Log from eu.myapp
  dev added message - eu.myapp.Controller.<init>
java.lang.NullPointerException
    at eu.myapp.Controller.<init>(Controller.java:48)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

以及以下简单的解析规则

log %{_date}%{space}\[%{_status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{space}%{data:error.msg})?(\n%{space}%{data:error.stack})?

,并尝试通过重复错误来使其变得更好。堆栈因此将每行添加到数组

log %{_date}%{space}\[%{_status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{space}%{data:error.msg})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})

输出中,简单:

{  
  "level": "SEVERE",
  "timestamp": 1652182018000,
  "error": {
    "msg": "java.lang.NullPointerException",
    "stack": "at eu.myapp.Controller.<init>(Controller.java:48)\n        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)\n        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)\n        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)"
  },
  "in": "eu.myapp.Controller.<init>",
  "msg": "dev added message",
  "logger": "Log from eu.myapp"
 }

输出更加好:

{
  "level": "SEVERE",
  "timestamp": 1652182018000,
  "error": {
    "msg": "java.lang.NullPointerException",
    "stack": [
      "at java.lang.reflect.Constructor.newInstance(Constructor.java:423)",
      "at eu.myapp.Controller.<init>(Controller.java:48)",
      "at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)",
      "at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)",
      "at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)"
    ]
  },
  "in": "eu.myapp.Controller.<init>",
  "msg": "dev added message",
  "logger": "Log from eu.myapp"
}

您可以看到更加好的。输出更可读性,但列表现在是无序的。有什么方法可以使错误订购?或任何其他提示或技巧可以比我现在做得更好。

我必须注意,我无法控制日志文件生成或格式化。

原文

I have the following log sample in a grok pipeline in datadog:

2022-05-10 11:26:58 [SEVERE]: Log from eu.myapp
  dev added message - eu.myapp.Controller.<init>
java.lang.NullPointerException
    at eu.myapp.Controller.<init>(Controller.java:48)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

and the following simple parsing rule

log %{_date}%{space}\[%{_status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{space}%{data:error.msg})?(\n%{space}%{data:error.stack})?

and the attempt to make it nicer by repeating error.stack so each line is added to array

log %{_date}%{space}\[%{_status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{space}%{data:error.msg})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})?(\n%{space}%{data:error.stack})

output simple:

{  
  "level": "SEVERE",
  "timestamp": 1652182018000,
  "error": {
    "msg": "java.lang.NullPointerException",
    "stack": "at eu.myapp.Controller.<init>(Controller.java:48)\n        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)\n        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)\n        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)"
  },
  "in": "eu.myapp.Controller.<init>",
  "msg": "dev added message",
  "logger": "Log from eu.myapp"
 }

output nicer:

{
  "level": "SEVERE",
  "timestamp": 1652182018000,
  "error": {
    "msg": "java.lang.NullPointerException",
    "stack": [
      "at java.lang.reflect.Constructor.newInstance(Constructor.java:423)",
      "at eu.myapp.Controller.<init>(Controller.java:48)",
      "at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)",
      "at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)",
      "at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)"
    ]
  },
  "in": "eu.myapp.Controller.<init>",
  "msg": "dev added message",
  "logger": "Log from eu.myapp"
}

As you can see the nicer output is more readable but the list is now unordered. Any way to make the error.stack ordered? Or any other tip or trick to parse this scenario better than im doing now.

I must note I have no control over the log file generation or formatting.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

有木有妳兜一样 2025-02-04 03:07:41

整个堆栈跟踪应在error.msg属性中。

因此您可以将Grok解析器更新到此(您可以放回状态和日期辅助规则中)。

log %{date("yyyy-MM-dd HH:mm:ss"):timestamp}%{space}\[%{word:status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{data:error.msg})?

另外,我建议重命名msg <代码>消息>消息和error.msg error.stack。您可以看到它们被列为 nofollow noreferrer“> recasterved atreved attribute”属性在文档中。这将使堆栈跟踪获得自己的漂亮UI,看起来更加干净。

也请记住创建消息,and

The entire stack trace should be inside the error.msg attribute.

grok parser preview

So you can update your grok parser to this (You can put back in your status and date helper rules).

log %{date("yyyy-MM-dd HH:mm:ss"):timestamp}%{space}\[%{word:status}\]\:%{space}%{data:logger}(\n%{space}%{data:msg}%{space}-%{space}%{data:in})?(\n%{data:error.msg})?

Also I recommend renaming msg to message and error.msg to error.stack. You can see they are listed as a reserved attribute in the docs. This will make it so that the stack trace gets its own pretty UI that's a lot cleaner looking.

prettified log in explorer

Also remember to create the message, status, and date remappers in your pipeline so the default values of your log all get updated appropriately.

回复 原文
~没有更多了~

关于作者

乖乖哒

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文