Get lines in one line logstash filter

alex_vermex · February 15, 2022, 3:06pm

Hi,
log file example:

0101-15:17:39:012|aze|exp|id|aa|bb|ee|rr|zz|tt|jj
0101-15:17:39:012|aze|exp|id....|ERR exception
nom du para: sss
    à System...
    à Web.............|Ref|lev|15|Code_Status = 50
0101-15:17:39:012|aze|exp|id|aa|bb|ee|rr|zz|tt|jj

the problem is that logstash reads the file line by line so it added a message with "para name:sss"...
can logstash keep some lines on a single line or create those lines in a single message?
About multiline, sometimes I have log files that don't contain "ERR exception".
So I don't know if there is a solution for this

Any help would be sincerely appreciate!
Thanks!

Badger · February 15, 2022, 5:02pm

You can use a multiline codec. Perhaps

codec => multiline {
    pattern => "^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}"
    negate => true
    what => previous
    auto_flush_interval => 5
}

That would join the "nom du para" line and the two after it to the "ERR exception" line.

alex_vermex · February 16, 2022, 9:56am

Thank you so much for the reply it works,
Just one more question when i have beats file in input the multiline didnt work under beats { } in logstash ?
I mean like this:

input {
    beats {
        port => "5044"
        codec => multiline {
        pattern => "^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}"
        negate => true
        what => previous
        auto_flush_interval => 5
        }
    }
}

Well i solve it with a config in filebeat.yml:

  multiline.type: pattern
  multiline.pattern: '^\d{4}-\d{2}:\d{2}:\d{2}:\d{3}'
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 5

Thanks.

Badger · February 16, 2022, 6:32pm

Indeed, as the documentation notes, you should not use a multiline codec with a beats input because it might combine lines from multiple senders. Do it in the beat instead.

system · March 16, 2022, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.