Get lines in one line logstash filter

Elastic Stack Logstash
1

Hi,
log file example:

0101-15:17:39:012|aze|exp|id|aa|bb|ee|rr|zz|tt|jj
0101-15:17:39:012|aze|exp|id....|ERR exception
nom du para: sss
    à System...
    à Web.............|Ref|lev|15|Code_Status = 50
0101-15:17:39:012|aze|exp|id|aa|bb|ee|rr|zz|tt|jj

the problem is that logstash reads the file line by line so it added a message with "para name:sss"...
can logstash keep some lines on a single line or create those lines in a single message?
About multiline, sometimes I have log files that don't contain "ERR exception".
So I don't know if there is a solution for this :confused:

Any help would be sincerely appreciate!
Thanks!

2

You can use a multiline codec. Perhaps

codec => multiline {
    pattern => "^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}"
    negate => true
    what => previous
    auto_flush_interval => 5
}

That would join the "nom du para" line and the two after it to the "ERR exception" line.

3

Thank you so much for the reply it works,
Just one more question when i have beats file in input the multiline didnt work under beats { } in logstash ?
I mean like this:

input {
    beats {
        port => "5044"
        codec => multiline {
        pattern => "^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}"
        negate => true
        what => previous
        auto_flush_interval => 5
        }
    }
}

Well i solve it with a config in filebeat.yml:

  multiline.type: pattern
  multiline.pattern: '^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}'
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 5

Thanks.

4

Indeed, as the documentation notes, you should not use a multiline codec with a beats input because it might combine lines from multiple senders. Do it in the beat instead.