私はlogstash実行したときに、私はランダムエラーを取得しています:Logstash数時間後にランダムに停止
16:30:26.240 [[メイン]> worker0] ERRORのlogstash.pipeline - 例外pipelineworker では、パイプラインが新しいイベントの処理を停止しました。 フィルタ設定を確認し、Logstashを再起動してください。 {"例外" =>#、 "バックトレース" => ["org/jruby/RubyString.java:3101:
gsub'", "org/jruby/RubyString.java:3069:ingsub '"、 "/usr/share/logstash/vendor/bundle/jruby/1.9/ grub/rubyArray.java:1613:ineach'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:290:ingsub '"、 "、 "gsub"、 "org/jruby/RubyArray.java:1613:each'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:290:in"、 の中のgems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:207:infilter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:145:indo_filter '"、 "/usr /share/logstash/logstash-core/lib/logstash/filters/base.rb:164:inmulti_filter'", "org/jruby/RubyArray.java:1613:ineach '"、 " /usr/share/logstash/logstash-core/lib/logstash/filters/base.rb :161:multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:41:inmulti_filter "」、 "(evalの):4135:initialize'", "org/jruby/RubyArray.java:1613:inにおける各 '"、 "(evalの):4131:initialize'", "org/jruby/RubyProc.java:281:inコール':997:"、 "(evalの)filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295:infilter_batchで「中"、「ORG/JRubyの/RubyProc.java:281:incall'", "/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192:ineach '"、" org/jruby/RubyHash.java:1342:each'", "/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191:ineach' "、 " /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb :294:filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:282:inworker_loop」」、 " /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258:instart_workers'"]} 16:30:26.542 [LogStash::Runner] FATAL logstash.runner - An unexpected error occurred! {:error=>#<InterruptedRegexpError: Regexp Interrupted>, :backtrace=>["org/jruby/RubyString.java:3101:inGSUB」"、 "ORG/JRubyの/ RubyString.javaで: 3069:gsub'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:317:ingsub_dynamic_fields '"、 " /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb: 308:ingsub'", "org/jruby/RubyArray.java:1613:ineach '"、 " /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:290:gsub'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.1.3/lib/logstash/filters/mutate.rb:207:inフィルタ」」、 "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:145:indo_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:164:inmulti_filter"で"、" ORG/JRubyの/ RubyArray.java:1613: 1613: " " ORG/JRubyの/ RubyArray.java「multi_filter'", "(eval):4135:in初期化/usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:41:in」、 "「each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:161:inmulti_filterでeach'", "(eval):4131:inで"/ usr/share/logstash/logstash-core/lib/logstash/p"に設定してください。 ipeline.rb:295:filter_batch'", "org/jruby/RubyProc.java:281:inコール」」、 "/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192:ineach'", "org/jruby/RubyHash.java:1342:in各「"、 」は/ usr /中/ share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191:each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294:infilter_batch '"、 " /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:282:worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258:instart_workers' "]}に
マイlogstashの設定ファイルは次のとおりです。
input {
file {
type => "SystemError"
path => "/app/systemerr/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^\s"
what => "previous"
}
}
file {
type => "SystemOut"
path => "/app/systemout/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
file {
type => "Errorlog"
path => "/app/error/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^FATAL"
negate => true
what => "previous"
}
}
file {
type => "Messagelog"
path => "/app/message/**/*"
start_position => "beginning"
codec => multiline {
pattern => "^ERROR"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "SystemError" {
grok {
match => { "message" => "\[%{DATA:timestamp}] %{BASE16NUM:threadID} (?<shortname>\b[A-Za-z0-9\$]{2,}\b)%{SPACE}%{WORD:loglevel}%{SPACE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
mutate {
gsub => ["timestamp", " GMT\+05\:30", ""]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS"]
}
if ([message] =~ "^\tat") {
drop {}
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "SystemOut" {
grok {
match => { "message" => "\[%{DATA:timestamp}] %{BASE16NUM:threadID} (?<shortname>\b[A-Za-z0-9\$]{2,}\b)%{SPACE}%{WORD:loglevel}%{SPACE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
mutate {
gsub => ["timestamp", " GMT\+05\:30", ""]
}
date {
match => ["timestamp", "M/dd/yy HH:mm:ss:SSS"]
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "Errorlog" {
grok {
match => { "message" => "%{LOGLEVEL:loglevel} \| %{TIMESTAMP_ISO8601:timestamp} \| %{DATA:string} \: %{DATA:WebContainer} \| %{DATA:code} \| %{DATA:country} \| %{DATA:user} \| %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => ["timestamp", "yyyy-M-dd HH:mm:ss,SSS"]
}
mutate { remove_field => [ "string" ] }
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
if [type] == "Messagelog" {
grok {
match => { "message" => "%{LOGLEVEL:loglevel} \| %{TIMESTAMP_ISO8601:timestamp} \| %{DATA:string} \: %{DATA:WebContainer} \| %{DATA:code} \| %{DATA:country} \| %{DATA:user} \| %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => ["timestamp", "yyyy-M-dd HH:mm:ss,SSS"]
}
mutate {
remove_field => [ "string" ]
}
if ([path] =~ "113") {
mutate {
add_field => { "server" => "113" }
}
} else {
mutate {
add_field => { "server" => "117" }
}
}
}
}
設定ファイルに何か問題はありますか?助けてください。
はい、私は_grokparsefailureを取得しますが、タイムスタンプはログが解析された時のデフォルトになります...なぜlogstashが完全に機能しなくなるのか理解できませんか? –
Logstashフィルタは、常にエラーを適切に処理するとは限りません。この場合、そこに存在しないフィールドを抑止しようとしています(したがって、ルビースタックダンプ)。あなたが私の提案を使うと、それは悪い価値を逆参照しようとせず、死ぬこともありません。 – Alcanzar