Codec multiline grok pattern for Logstash

Elastic Stack Logstash
1

Hey,

so i am parsing multiline logs using Logstash. I need consider each log line will start with {"offset": currently it is printing into single line that's why it is coming in one message only

We are not using file beat hence need to implement in Logstash only

The multiline pattern is made in Logstash with sample logs:

input {
stdin {
        codec => multiline {
          pattern => "\{\"offset\""
          negate => true
          what => "previous"
        }
      }
  }
  

filter{

	mutate {
		add_field => ["config_version", "v6.2"]
	}
	
}

output {
       stdout{}
	}

Sample Logs:

{"offset":3083492288,"@version":"1","remote_ip":"abc","source":"xyz","time":"2024-01-08T12:19:43.421+00:00"}}{"offset":3083492288,"@version":"1","remote_ip":"abc","source":"xyz","time":"2024-01-08T12:19:43.421+00:00"}}
2

Can you share an example of this multiline log? What you shared is a single json log line.

3

HI @leandrojmp ,
yes those logs are generating in singe line only in txt files. but they need each log should start with {"offset": and they don't want to use filebeat as well through logstash only

4

This is confusing, it is not clear what is the issue, if you have a single line with a json document you do not need multiline and you also not need grok.

Also, if you have log files you should use the file input, not stdin.

5

this one i used for testing purpose only but through file also not working

6

Can you share the multiline log you have?

What you shared is not a multiline log, is a json document, you do not need multiline nor grok to parse it.

A json codec would parse your log without any issues.

7

Json is now working here if my multiple logs in single line

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.