Add jvm9 logging format to GC fileset of ES module (#7390)

filebeat/docs/fields.asciidoc

@@ -811,7 +811,7 @@ elasticsearch Module
 --
 type: float
 
-Garbage collection threads total stop time seconds.
+The time from JVM start up in seconds, as a floating point number.
 
 
 --
@@ -834,6 +834,26 @@ type: float
 Time took to stop threads seconds.
 
 
+--
+
+*`elasticsearch.gc.pid`*::
++
+--
+type: long
+
+The PID of JVM process.
+
+
+--
+
+*`elasticsearch.gc.tags`*::
++
+--
+type: keyword
+
+GC logging tags.
+
+
 --
 
 [float]

filebeat/module/elasticsearch/gc/_meta/fields.yml

@@ -5,7 +5,7 @@
     - name: relative_process_timestamp_secs
       type: float
       description: >
-        Garbage collection threads total stop time seconds.
+        The time from JVM start up in seconds, as a floating point number.
     - name: threads_total_stop_time_secs
       type: float
       description: >
@@ -14,3 +14,11 @@
       type: float
       description: >
         Time took to stop threads seconds.
+    - name: pid
+      type: long
+      description: >
+        The PID of JVM process.
+    - name: tags
+      type: keyword
+      description: >
+        GC logging tags.

filebeat/module/elasticsearch/gc/config/gc.yml

@@ -4,11 +4,12 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
+exclude_lines: ["^(OpenJDK|Java HotSpot).* Server VM ", "^CommandLine flags: ", "^Memory: "] # exclude JVM8 banner
 multiline:
-  pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
+  pattern: '^\[?[0-9]{4}-[0-9]{2}-[0-9]{2}'
   negate: true
   match: after
 
 fields:
   service.name: "elasticsearch"
-fields_under_root: true
+fields_under_root: true

filebeat/module/elasticsearch/gc/ingest/pipeline.json

@@ -5,13 +5,13 @@
       "grok": {
         "field": "message",
         "patterns": [
-          "%{GCTIMESTAMP}: %{GCPROCRUNTIME}: Total time for which application threads were stopped: %{BASE10NUM:elasticsearch.gc.threads_total_stop_time_secs} seconds, Stopping threads took: %{BASE10NUM:elasticsearch.gc.stopping_threads_time_secs} seconds",
-          "%{GCTIMESTAMP}: %{GREEDYMULTILINE:message}"
+          "(?:%{JVM8HEADER}|%{JVM9HEADER}) Total time for which application threads were stopped: %{BASE10NUM:elasticsearch.gc.threads_total_stop_time_secs} seconds, Stopping threads took: %{BASE10NUM:elasticsearch.gc.stopping_threads_time_secs} seconds",
+          "(?:%{JVM8HEADER}|%{JVM9HEADER}) %{GREEDYMULTILINE:message}"
         ],
         "pattern_definitions": {
           "GREEDYMULTILINE": "(.|\n)*",
-          "GCTIMESTAMP": "%{TIMESTAMP_ISO8601:timestamp}",
-          "GCPROCRUNTIME": "%{BASE10NUM:elasticsearch.gc.relative_process_timestamp_secs}"
+          "JVM8HEADER": "%{TIMESTAMP_ISO8601:timestamp}: %{BASE10NUM:elasticsearch.gc.relative_process_timestamp_secs}:",
+          "JVM9HEADER": "\\[%{TIMESTAMP_ISO8601:timestamp}\\]\\[%{POSINT:elasticsearch.gc.pid}\\]\\[%{DATA:elasticsearch.gc.tags}%{SPACE}*\\]"
         }
       }
     },
@@ -22,9 +22,24 @@
       }
     },
     {
-      "rename": {
+      "date": {
         "field": "timestamp",
-        "target_field": "@timestamp"
+        "target_field": "@timestamp",
+        "formats": [
+          "ISO8601"
+        ]
+      }
+    },
+    {
+      "remove": {
+        "field": "timestamp"
+      }
+    },
+    {
+      "split": {
+        "field": "elasticsearch.gc.tags",
+        "separator": ",",
+        "ignore_missing": true
       }
     }
   ],
@@ -36,4 +51,4 @@
       }
     }
   ]
-}
+}

filebeat/module/elasticsearch/gc/manifest.yml

@@ -4,6 +4,7 @@ var:
   - name: paths
     default:
       - /var/log/elasticsearch/gc.log.[0-9]*
+      - /var/log/elasticsearch/gc.log
     os.darwin: []
     os.windows: []
 

filebeat/module/elasticsearch/gc/test/test.log-expected.json

@@ -18,7 +18,7 @@
       "input": {
         "type": "log"
       },
-      "@timestamp": "2018-06-11T01:53:11.382+0000",
+      "@timestamp": "2018-06-11T01:53:11.382Z",
       "elasticsearch": {
         "gc": {
           "stopping_threads_time_secs": "0.0000702",