Failed Parsing Date and MulitLine tomcat log

magnusbaeck · February 12, 2016, 6:34am

Two problems:

Your pattern is not a regular expression. It looks like the pattern used for a date filter. Use your grok expression as a starting point instead.
The logic is flawed since it'll only work for sequences of two lines. If you have a sequence of three lines that should be joined, the second line won't begin with a timestamp so it won't be joined with the following line. Instead, turn the logic around with negate => true and use what => "previous", expressing "if the line doesn't begin with a timestamp, join it with the preceding line".

Topic		Replies	Views
Parsing problems on logstash + filebeat Logstash	3	1258	July 6, 2017
Problems with config date {} multiline files Logstash	2	579	July 6, 2017
Multiline filter and dateparse issue in production Logstash	12	3319	July 6, 2017
Can someone give pattern for Tomcat logs Logstash	17	12865	July 6, 2017
Failed to parse [timestamp] Logstash	9	2736	May 17, 2017