Duplicated message in document, grok pattern problem

Elastic Stack Logstash
1

Dears,

Please help me with parsing such multiline log, example one event:

2022-03-03 07:34:45.971 TRACE 865 --- [nio-5010-exec-7] rest-server                              :
Request {
    correlationId = a835e742-635a-43a6-8ea6-b406143e922b
    httpMethod = GET
    path = /v1/manage/system/health
    headers = [accept:"application/json, application/*+json", user-agent:"Java/11.0.14", host:"192.168.10.38:5010", connection:"keep-alive"]
    payload = N/A
}

Grok pattern in Logstash looks like this one:

  if "mlog" in [tags] {
    grok {
      match => ["message", "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{GREEDYDATA:json_data}"]
    }
  }

and document in Elasticsearch looks like this one:

2022-03-03 07:34:45.971 TRACE 865 --- [nio-5010-exec-7] rest-server                              : 
Request {
    correlationId = a835e742-635a-43a6-8ea6-b406143e922b
    httpMethod = GET
    path = /v1/manage/system/health
    headers = [accept:"application/json, application/*+json", user-agent:"Java/11.0.14", host:"192.168.10.38:5010", connection:"keep-alive"]
    payload = N/A
}TRACE 865 --- [nio-5010-exec-7] rest-server                              : 
Request {
    correlationId = a835e742-635a-43a6-8ea6-b406143e922b
    httpMethod = GET
    path = /v1/manage/system/health
    headers = [accept:"application/json, application/*+json", user-agent:"Java/11.0.14", host:"192.168.10.38:5010", connection:"keep-alive"]
    payload =

Any idea how to solve it?

Best Regards,
Dan

2

It should solve parsing problem with multiline event:

%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time} %{LOGLEVEL:logLevel} %{GREEDYDATA:log_header}\n(?m)%{GREEDYDATA:log_body}

Thanks a lot.

3

If you have any better solution please describe it. Thanks

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.