Error when filter multiline of rabbitmq log

vuxuanlai · October 12, 2017, 6:55am

When i parse log from rabbitmq, i got the error as below:
`

[2017-10-12T04:01:18,006][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"The setting type in plugin multiline is obsolete and is no longer available. You can achieve this same behavior with the new conditionals, like: if [type] == \"sometype\" { multiline { ... } }. If you have any questions about this, you are invited to visit Logstash - Discuss the Elastic Stack and ask."}

`

The following is my config:

input {
	file {
		type => "rabbit"
		path => "/home/ubuntu/logstash-5.6.2/rabbitmq.log"
	}
}
filter {
	multiline{
		type => "rabbit"
		pattern => "^="
		negate => true
		what => "previous"
	}
	grok {
		type => "rabbit"
		patterns_dir => "patterns"
		pattern => "^=%{WORD:report_type} REPORT=+ %{RABBIT_TIME:time_text} ===.*$"
	}
	mutate {
		type => "rabbit"
		add_field => [ "message", "%{@message}" ]
	}
	mutate {
		gsub => [
		  "message", "^=[A-Za-z0-9: =-]+=\n", "",
		  # interpret message header text as "severity"
		  "report_type", "INFO", "1",
		  "report_type", "WARNING", "3",
		  "report_type", "ERROR", "4",
		  "report_type", "CRASH", "5",
		  "report_type", "SUPERVISOR", "5"
		]
	}
	
}
output {
	stdout { codec => rubydebug }
}

Could someone help me in this case?

Christian_Dahlqvist · October 12, 2017, 7:00am

The multiline filter plugin has been deprecated. Instead use the multiline codec with your file input plugin.

vuxuanlai · October 12, 2017, 7:04am

So how can i use logstash filter to parse rabbitmq log?

Christian_Dahlqvist · October 12, 2017, 7:06am

Specify a multiline codec for the file input plugin and remove the multiline filter. You should be able to keep the rest the same, although I do not understand why you are specifying type => "rabbit" for the filter plugins.

vuxuanlai · October 12, 2017, 7:07am

I edited as your recommend. The following is my edition:

input {
	file {
		type => "rabbit"
		path => "/home/ubuntu/logstash-5.6.2/rabbitmq.log"
		codec => multiline{
			pattern => "^="
			negate => true
			what => "previous"
		}
	}
}
filter {

grok {
	type => "rabbit"
	patterns_dir => "patterns"
	pattern => "^=%{WORD:report_type} REPORT=+ %{RABBIT_TIME:time_text} ===.*$"
}
mutate {
	type => "rabbit"
	add_field => [ "message", "%{@message}" ]
}
mutate {
	gsub => [
	  "message", "^=[A-Za-z0-9: =-]+=\n", "",
	  # interpret message header text as "severity"
	  "report_type", "INFO", "1",
	  "report_type", "WARNING", "3",
	  "report_type", "ERROR", "4",
	  "report_type", "CRASH", "5",
	  "report_type", "SUPERVISOR", "5"
	]
}

}
output {
	stdout { codec => rubydebug }
}

I got the error:
[2017-10-12T07:03:20,501][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"The setting type in plugin grok is obsolete and is no longer available. You can achieve this same behavior with the new conditionals, like: if [type] == \"sometype\" { grok { ... } }. If you have any questions about this, you are invited to visit https://discuss.elastic.co/c/logstash and ask."}

Christian_Dahlqvist · October 12, 2017, 7:10am

You should remove this from your plugin config as I do not think it is supported any longer. You can see exactly which configuration parameters that are supported in the documentation.

vuxuanlai · October 12, 2017, 7:17am

I changed my config to your recommend, so it still got error. Could you give me some suggests or examples to parse rabbitmq log using logstash filter?
Thank you.

Christian_Dahlqvist · October 12, 2017, 7:19am

What does the config look like now? What error are you getting?

vuxuanlai · October 12, 2017, 7:22am

input {
	file {
		path => "/home/ubuntu/logstash-5.6.2/rabbitmq.log"
		codec => multiline{
			pattern => "^="
			negate => true
			what => "previous"
		}
	}
}
filter {
	
	grok {
		patterns_dir => "patterns"
		match => {"message" => "^=%{WORD:report_type} REPORT=+ %{RABBIT_TIME:time_text} ===.*$"}
	}
	mutate {
		add_field => [ "message", "%{@message}" ]
	}
	mutate {
		gsub => [
		  "message", "^=[A-Za-z0-9: =-]+=\n", "",
		  # interpret message header text as "severity"
		  "report_type", "INFO", "1",
		  "report_type", "WARNING", "3",
		  "report_type", "ERROR", "4",
		  "report_type", "CRASH", "5",
		  "report_type", "SUPERVISOR", "5"
		]
	}
	
}
output {
	stdout { codec => rubydebug }
}

The error:
[2017-10-12T07:20:53,132][ERROR][logstash.agent ] Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{RABBIT_TIME:time_text} not defined>, :backtrace=>["/home/ubuntu/logstash-5.6.2/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.4/lib/grok-pure.rb:123:in `compile'",...........

magnusbaeck · October 12, 2017, 7:28am

As the error message says it's not able to find a definition of your RABBIT_TIME pattern. I suggest you use the absolute path in the grok filter's patterns_dir option.

vuxuanlai · October 12, 2017, 7:40am

Thanks magnusbaeck, there are no error when i change config as recommend. However, i can't get any result on screen when read log from file as input.

system · November 9, 2017, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"Couldn't find any filter plugin named 'multiline'. Are you sure this is correct Logstash	3	1547	July 19, 2017
Multiline issue Logstash	4	1471	July 6, 2017
Multiline filter is not working even after installing the plugin Logstash	3	215	March 15, 2023
Logstash filter multiline not working Logstash	10	9617	August 8, 2017
Multiline filter sometimes doesn't work Logstash	4	1306	July 6, 2017

Error when filter multiline of rabbitmq log

Related topics