Can't input in logstash for multiline

Denis_Neres · November 23, 2018, 12:15pm

Hello guys, so I have a specific pattern of logs that loogs like this:

[2018-11-17 11:10:26.267] [s-ss-ares] [http-apr-8080-exec-1] ERROR b.c.s.g.p.s.s.DashboardServiceImpl@logException:41 - [testesemp] - [Supervisor 003] - [super003@geosales] nested exception is org.apache.ibatis.exceptions.PersistenceException:
###message comes here
###other message here
###more here
     at bablablablabablablabla.bablablabla.bablablabla
     at blablablablablablablab
     at bablablablabablablabla.bablablabla.bablablabla
     at blablablablablablablab
[2018-11-17 11:10:26.267] [s-ss-ares] [http-apr-8080-exec-1] ERROR b.c.s.g.p.s.s.DashboardServiceImpl@logException:41 - [testesemp] - [Supervisor 003] - [super003@geosales] nested exception is org.apache.ibatis.exceptions.PersistenceException:
[2018-11-17 11:10:26.267] [s-ss-ares] [http-apr-8080-exec-1] ERROR b.c.s.g.p.s.s.DashboardServiceImpl@logException:41 - [testesemp] - [Supervisor 003] - [super003@geosales] nested exception is org.apache.ibatis.exceptions.PersistenceException:

So I did this configuration for input on logstash to capture multiline logs (all those starting with '#' and with whitespace...)

input {
  file {
    path => "path/to/my/log/file.log"
	codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601} "
      negate => true
      what => previous
    }
  }
}

What´s wrong? it isn´t to get all lines that doesn't start with date and set to the previous log with date?

thanks for your attention

Christian_Dahlqvist · November 23, 2018, 12:16pm

Before the timestamp is a [ that seems to be missing from your pattern.

Denis_Neres · November 23, 2018, 12:24pm

yeah, I thought would be this, but I tried pattern => "\[^%{TIMESTAMP_ISO8601}\]"and still didn't work. Or is this wrong?

Denis_Neres · November 23, 2018, 12:51pm

I also tried this: pattern => "^\[%{TIMESTAMP_ISO8601}\] ", nothing yet

Christian_Dahlqvist · November 23, 2018, 12:58pm

What if you try e.g. ^\[\d{4}-\d{2}-\d{2} \d{2}?

Denis_Neres · November 23, 2018, 1:29pm

So, updating informations:

I did this: ^[\d{4}-\d{2}-\d{2} \d{2} and didn't work at all.
I put this: ^[%{TIMESTAMP_ISO8601}] and I noticed something interesting: When I take out the 'at blbalba.blablabla.balba' logs, it did capture the logs perfectly. So, the problem is that This pattern can't capture logs line starting with:

(white space)   at dome.text.over.here
(white space)   at dome.text.over.here
(white space)   at dome.text.over.here

system · December 21, 2018, 1:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.