Entire File as "one line"

paiz1556 · August 28, 2019, 7:05pm

Is there a good strategy to read an entire file as the "message" value you would send to ElasticSearch?

I see "read" mode as part of file input plugin but that wants me to write the input to a different file. I want to take what I've read and push it to Elastic Search.

I tried using the codec for multiline but didn't know how to use the end of file as the pattern.

The system i'm trying to parse writes a new file for every error so the whole file is what I need to consume. A new error, writes a new file.

Any suggestions?

Badger · August 28, 2019, 7:25pm

Use a pattern that never matches and a timeout. I use

codec => multiline { pattern => "^Spalanzani" negate => true what => previous auto_flush_interval => 1 }

paiz1556 · August 28, 2019, 7:47pm

Brilliant!!! I was trying to attack it with a pattern that always matched. I also think the fact that I wasn't using the auto_flush_interval attribute was causing some sort of issue.

This works perfectly!

Topic		Replies	Views
How to feed entire logfile to elasticsearch as a message Logstash	4	1440	July 6, 2017
Each log line is split into a different document in Elastic Logstash	4	345	August 9, 2023
Shipping whole file as message? Beats filebeat	4	3760	August 25, 2017
Logstash input multiline codec Entire file is getting merged into single line Logstash	2	471	May 1, 2020
Logstash Multiline Codec skipping first messages Logstash	2	551	July 6, 2017

Entire File as "one line"

Related topics