Finding a pattern multiple times in a multiline event

mahsa_b · May 31, 2017, 3:43pm

I am reading multiline from input and trying to match all the instances of the pattern. but it only output the first instance and not the rest. I'm not sure where I am making the mistake. this is my conf file content:

indent preformatted text by 4 spaces
input {
    file {
        path => "/usr/local/src/logstash/log1.in"
        start_position => beginning
        sincedb_path => "/dev/null"
        codec => multiline {
            pattern => "^show"
            negate => true
            what	=> next
        }
    }
}

filter {
    grok {

        patterns_dir => ["./patterns/mypatterns"]
        match	=> {"message" => ["(?m)configure vlan %{WORD:vlan} add ports %{PORTS:ports} %{TAG_INFO:tag_info}"]}
        break_on_match => false
    }
}

output {
    stdout {
        codec => rubydebug
    }
}

and this is the content of log1.in( I only have one 'show switch' command)

    configure snmp sysName "NY_MPBN_SS_1"
    configure snmp sysLocation "GSI New York"
    configure snmp sysContact "JPoserio@globecommsystems.com"
    configure timezone name New_Yor -240
    configure sys-recovery-level switch reset
    configure vlan CH_ACCESS add ports 19, 28, 46-47 tagged
    configure vlan CN_GN add ports 10, 46-47 tagged
    configure vlan CN_GN add ports 12 untagged
    configure vlan CN_Gn_GSN_1 add ports 3-8, 46 tagged
    configure vlan Default add ports 50 untagged
    show switch

and this is the output of running the conf file

guyboertje · June 2, 2017, 8:23am

Please paste:

a long enough piece of your file to have at least two show switch lines.
the console output of the event that is captured.

use triple backticks above and below the pasted text - its easier to read, e.g.

[2017-06-01T15:58:38,222][INFO ][o.e.n.Node               ] [eDuMM9L] stopped
[2017-06-01T15:58:38,222][INFO ][o.e.n.Node               ] [eDuMM9L] closing ...
[2017-06-01T15:58:38,229][INFO ][o.e.n.Node               ] [eDuMM9L] closed

mahsa_b · June 6, 2017, 2:56pm

I updated the original post . I hope it is more clear now

mahsa_b · June 13, 2017, 4:10pm

I believe my scenario could not be covered with the configs I had.
I used ruby plugin and a for loop inside of it, to go through each line (of the multiline event) and extract the info I required.

system · July 11, 2017, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.