Hi all!
after some weeks trying to figure out how to use the multiline codec with the gelf input, I finally have thrown in the towel ... it should be something easy; there should be an easy way to do it, but I have not been able to realize how!
Previously, in 2.x, I received the logs from several docker containers using Gelf input and later I applied a multiline filter to collapse all the exception stack traces into a single event. But since I upgraded to 5.x this filter is not available (deprecated in favor of the codec version). So I change my logstash configuration to something like:
input {
gelf {
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
}
}
output {
elasticsearch {
}
}
It does not fail, however, it seems like this codec is ignoring all the events received by the gelf input. All what I find about the multiline codec is applied to file inputs. I'm starting to think that simply the multiline codec does not support the event structure generated by the Gelf plug-in.
I'm missing something here?
Is it simply imposible to use the multiline codec with the gelf input plug-in?
If so, what is the setup that other people is using to redirect logs from Docker containers to logstash and post-process the sequence of events to merge related, split lines?
Any idea, any clue, any example is welcome!