Fluent codec and multline

Elastic Stack Logstash
1

Hello,

I use the fluent codec in my input.
It receives logs from Java applications and I would like to make Java stack trace into a single event.
This can be done with the multiline plugin.
How can I benefit from the functionnalities of both fluent and multiline codec?

My configuration below:

input {
tcp{
port => 9532
codec => fluent
}
}

filter {

grok {
# Parsing des logs Tomcat HTTP
match => { "message" => [
"%{IP} - - [%{HTTPDATE}] "%{NOTSPACE:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{INT:code} %{INT:size} %{INT:time}",
"%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:severity}\s+[%{DATA:service},%{DATA:trace},%{DATA:span},%{DATA:exportable}]\s+%{DATA id}\s+---\s+[%{DATA:thread}]\s+%{DATA:class}\s+:\s+%{GREEDYDATA:logMessage}"
]}
}

date {
match => [ "timestamp" , "YY-MM-dd HH:mm:ss.SSS" ]
}

}

output {
elasticsearch {
user => "logstash"
password => "xxxxx"
hosts => ["xxxxx:9632"]
index => "logstash-tap2use-%{+YYYY.MM.dd}"
document_type => "logs"
}
}

Thanks for your help.

2

Hello,
I'm trying to solve this issue with 2 pipelines.
The input of the first pipeline will have a fluent codec. The Input of the second pipeline will have a multiline codec.
Can someone confirm me that the multiline codec can be used with a pipeline input (as shown below)?

input {
pipeline {
address => myVirtualAddress
codec => multiline {
pattern => ".*at"
what => "previous"
}
}
}

Thanks,
Best regards,
Benoît

3

Any idea on this issue?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.