Hello,
I have a message that is in the format
2019-10-22 22:59:56 HOSTNAME [Error] Connection id ""ABCDEF"", Request id ""123ABCD"": An unhandled exception was thrown by the application.
System.NullReferenceException: Object reference not set to an instance of an object.
at Moe.MicroservicesControllers.ApplicationsController.Get(String userId) in ne 26
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(
Now I want to extract only first line of the message my Logstash Configuration is
input {
beats {
port => 5044
}
}
filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:eventtime}\s*(?[\w\d]+)\s*[%{WORD:loglevel}]\s(?[\d\w\s"\n.@;():,$><`-&\'|='?]+)"}
}
grok {
match => [
"eventdescription", "(?[\d\w\s"\n.@;():,$><`-&\'|='?]+).user\s"%{INT:user}(?[\d\w\s"\n.@;():,$><`-&\[]'|='?]+)",
"eventdescription", ".user\s"(?[\w\d-]+)",
"eventdescription", ".User\s"%{INT:user}",
"eventdescription", ".Connection\sid\s""(?[\d\w]+)",
"eventdescription", ".Request\sid\s*""(?[\d\w:]+)",
"eventdescription", "(?[\d\w\s"\n.@;():,$><`-&\'|='?]+)"
]
}
if "multiline" in [log][flags]{
mutate {
add_field => {"errormessage" => "%{eventdescription}"}
}
mutate {
split => { "errormessage" => "\n" }
mutate {
replace => { "errormessage" => "%{errormessage[0]}" }
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "test3"
}
}
But I am not able to capture first line of the logs
Please guide me
Regards