0

I am trying to write a ELK-Watcher to send alert in case of any exception in my Java-Application logs.

Our application-log is already getting indexed in Elastic-Search. And under log_message field, I am able to index log-message or exception-message(in case of exception) along with exception-trace.

For example

In normal case(with no exception) log_message field will have value something like as follows.

Executing task using ExecutorService

But in case of Exception, log_message field have something like as follows

Exception while executing task : java.util.concurrent.CancellationException [StackTrace Hash 38fe72fbd18c26e8cd74b0a3c196c1441f1814e10224a323f83ec105dd355f10]
java.util.concurrent.CancellationException
        at java.util.concurrent.FutureTask.report(FutureTask.java:121)
        at java.util.concurrent.FutureTask.get(FutureTask.java:192)
        at com.comp.tasks.TaskExecutor$MDCFuture.get(TaskExecutor.java:103)
        at com.comp.tasks.TaskExecutor.afterExecute(TaskExecutor.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1157)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

Above two are just sample log_message's, but exception can originate from any other class in application with different exception-message or exception-trace.

I want to write ELK-Watcher and use Kibana-filter-query-DSL to detect if log_message field contains exceptions.

I tried many different Kibana-filter-query-dsl to filter-out log_message with exception trace. But none of them worked.

Is it possible to write any Kibana-filter-query-dsl to detect exception by looking for \n\tat in log_message field? Please help.

Improve this question
5
  • are you storing log.level field from your application log ? If you are storing then it will be very easy because then you need to just check if log.level value is error and send alert. Commented Jun 28, 2022 at 11:17
  • I am using log.level, but the problem is log.level=ERROR used for many other cases and not alone for Exception case. Commented Jun 28, 2022 at 11:51
  • ok got it. then you can try out to search for StackTrace or at java.lang.Thread.run which will be available for all your stacktrace. You might get some unexpected result but most of scenario it will cover. Commented Jun 28, 2022 at 11:53
  • Ok, I tried following, it works fine but it is very slow, I am doing search only for 15 min duration, but numbers of log lines generated by application in 15 min are very high( around 60K), and takes 3-4 minutes to provide result. Any solution to improve the performance of following query? { "bool": { "must": { "wildcard": { "log_message": { "value": "*at java.lang.Thread.run*" } } }, "filter": [ { "term": { "severity": "ERROR" } } ] } } Commented Jun 29, 2022 at 14:29
  • Your are trying wildcard query with prefix and postfix * thats why it is taking long time. Insted of this try match_phrase query. Commented Jun 30, 2022 at 5:21

1 Answer 1

Reset to default
0

You can try out to search for StackTrace or at java.lang.Thread.run which will be available for all your stacktrace. You might get some unexpected result but most of scenario it will cover.

Below is query you can try:

{
  "query": {
    "bool": {
      "must": [
        {
          "match_phrase": {
            "message": "at java.lang.Thread.run"
          }
        },
        {
          "match": {
            "severity": "ERROR"
          }
        }
      ]
    }
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not sure why but match_phrase does not work me,

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.