Can't grok multiline logs

Elastic Stack Logstash
1

I have logs where each event is:

ExitNode FF33F91CC06B6CC5C3EE804E7D8DBE42CB5707F9
Published 2017-11-05 02:55:09
LastStatus 2017-11-05 04:02:27
ExitAddress 66.42.224.235 2017-11-05 04:06:26

I tried to use multiline:

input {
   file {
     path => "/path/input"
   }
}
filter {
  multiline {
    pattern => "^\b[A-Za-z]{8}\b"
      what => "next"
  }
}
filter {
  multiline {
    pattern => "^\b[A-Za-z]{8}\b"
      what => "next"
  }
}
filter {
  multiline {
    pattern => "^\b[A-Za-z]{11}\b"
      what => "previous"
  }
}
output {
  file {
    codec => rubydebug
    path => "/path/output"
  }
}

And I get something like this:

{
          "path" => "/path/input",
    "@timestamp" => 2017-11-05T10:25:34.112Z,
      "@version" => "1",
          "host" => "HOST",
       "message" => "ExitNode FE3CB742E73674F1BC2382723209ECEE44AD4AEC\nPublished 2017-11-04 20:34:55\nLastStatus 2017-11-04 21:03:26\nExitAddress 77.250.227.12 2017-11-04 21:06:45",
          "tags" => [
        [0] "multiline"
    ]
}

And I can't grok this message field because I don't know how to remove or replace \n and gsub => ["message", "\n", "Line_Break"] doesn't work properly. Thanks

2

You don't really need to remove newline literals in order to grok this message, you can just escape it in the pattern, like this:

ExitNode %{NOTSPACE:exitnode}\\nPublished %{TIMESTAMP_ISO8601:published}\\nLastStatus %{TIMESTAMP_ISO8601:laststatus}\\nExitAddress %{IPV4:exitaddress} %{TIMESTAMP_ISO8601:timestamp}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.