所以我有一个非结构化日志,我想在 datadog 中解析。具体来说,我试图从记录的异常中解析出内部异常:
My.Exception.Type.CustomException: This is my exception message. ---> An.Inner.Exception.InnerException: This is an inner exception message ---> An.Inner.Exception.AnotherInnerException: This is another inner exception message
at Stack.Trace.Goes.Here
我已经多次尝试解决这个问题。我认为可行的方法是:
exception_rule %{notSpace:error.kind}:\s+%{data:error.message}\s*%{inner_exception}*\s+%{regex(" at.*"):error.stack}
辅助规则定义为:
inner_exception (\s*--->\s+%{notSpace:error.inner.kind}:\s+%{data:error.inner.message})
实际输出:
{
"error": {
"kind": "My.Exception.Type.CustomException",
"message": "This is my exception message.",
"stack": " at Stack.Trace.Goes.Here",
"inner": {
"kind": "An.Inner.Exception.AnotherInnerException",
"message": "This is another inner exception message"
}
}
}
我的预期输出:
{
"error": {
"kind": "My.Exception.Type.CustomException",
"message": "This is my exception message.",
"stack": " at Stack.Trace.Goes.Here",
"inner": [
{
"kind": "An.Inner.Exception.InnerException",
"message": "This is an inner exception message"
},
{
"kind": "An.Inner.Exception.AnotherInnerException",
"message": "This is another inner exception message"
}
]
}
}
如果我使用数组类型,我可以接近我想要的:
exception_rule %{notSpace:error.kind}:\s+%{data:error.message}(\s*--->\s*(%{data:error.inner:array(""," ---> ")}))%{regex(" at.*"):error.stack}
产生以下输出:
{
"error": {
"kind": "My.Exception.Type.CustomException",
"message": "This is my exception message.",
"stack": " at Stack.Trace.Goes.Here",
"inner": [
"An.Inner.Exception.InnerException: This is an inner exception message ",
"An.Inner.Exception.AnotherInnerException: This is another inner exception message\n"
]
}
}
但是这里的内部异常没有被正确标记并被视为原始字符串