Aggregates all lines messages between 2 date using multiline filter

MichaelScofield · August 21, 2015, 8:46am

I have a log like this:

2015-06-26 23:00:48,935  foo                  as "date1"
whatever lines not start with date
...
2015-06-16 18:46:16,136 bar                   as "date2"

I'm trying to get all lines between date1(include) and date2(exclude). So I use "multiline" filter:

filter {
    grok {
        match => {"message" => "%{TIMESTAMP_ISO8601:[@metadata][tt]} %{GREEDYDATA:[@metadata][dd]}"}
    }
    if "_grokparsefailure" not in [tags] {
         date {
             match => ["[@metadata][tt]", "yyyy-MM-dd HH:mm:ss,SSS"]
         }
     } else { # indicates this line should belong to previous message
         multiline {
             pattern => ".*"
             what => "previous"
         }
     }
 }

But it just generates 3 messages:

m1: 2015-06-26 23:00:48,935  foo
m2: 2015-06-16 18:46:16,136 bar
m3: whatever lines not start with date
    ...

What's wrong with the filter config? How to make it right? Thx in advance!

MichaelScofield · August 21, 2015, 9:38am

Answering my own question after I solved it:

filter {
    multiline {
        pattern => "^%{TIMESTAMP_ISO8601}"
        negate => true
        what => "previous"
    }
    grok {
        match => {"message" => "%{TIMESTAMP_ISO8601:[@metadata][tt]} %{GREEDYDATA:[@metadata][dd]}"}
    }
    date {
        match => ["[@metadata][tt]", "yyyy-MM-dd HH:mm:ss,SSS"]
    }
}

Topic		Replies	Views
Multiline filter and dateparse issue in production Logstash	12	3283	July 6, 2017
Logstash date extraction help Logstash	3	612	December 26, 2016
Hi, I am new to ELK. Trying to parse the date inside the multiline messages as timestamp. Let me know what config file to be used Logstash	8	1039	July 6, 2017
Multiline message problem Logstash	3	326	April 30, 2020
Could not split in multiline Logs in Logstash Logstash	4	872	July 12, 2018

Aggregates all lines messages between 2 date using multiline filter

Related Topics