Each log line is split into a different document in Elastic

Merav_Yaacov · July 11, 2023, 5:07pm

Hi,
What can be the reason that each line of log file is split into single document in Elastic?
That's how Logstash is configured:

input {
  file {
        type => "log"
        path => ["/etc/logstash/conf.d/files/*.log"]
        sincedb_path => "/etc/logstash/conf.d/sincedb.log"                                                                                                                                     }
}

output {
  stdout {
        codec => rubydebug
  }
  elasticsearch {
        hosts => ["https://<hostname>:9200"]
        index => "failure-logs"
        user => "elastic"
        password => "****"
        ssl => true
        cacert => "/etc/logstash/conf.d/ca.crt"
  }
}

In Elastic each line is populated into different document.

Thanks

Badger · July 11, 2023, 7:03pm

That is working as expected. A file input consumes files one line at a time. If you need to combine lines you may want to use a multiline codec.

Merav_Yaacov · July 12, 2023, 4:25am

Got it. Thank you!

Rios · July 12, 2023, 5:37am

A simplified version ML coded of this:

input {
  file {
    path => "/path/file.log"
    sincedb_path => "/dev/null"
    start_position => "beginning"
      codec => multiline {
      pattern => "^<pattern>" # how LS will recognize what is the first line
      negate => "true"
      what => "previous"
    }
}

system · August 9, 2023, 5:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.