Hi
I am getting lots of warnings in my logstash log. The warning says "LogstashJSON - Failed action"
I somehow feel this is related to using my multiline codec. I am using logstash to parse my log files and put those in Elastic. I am also not able to find the particular index in elastic which has those multilines. Surprisingly if I change my logstash output to some file, everything works fine. If logstash is writing to elastic server I am facing issues. Any helps would be appreciated.
Below is the sample of my logstash config
input {
beats {
port => "xxxx"
codec => multiline {
pattern => "^\s*[0-9]{4}[-][0-9]{1,2}[-][0-9]{1,2}"
what => "previous"
negate => true
auto_flush_interval => 1
}
}
}
filter {
grok {
break_on_match => true
match => [ "message", "(?m)%{YEAR:Year}[/-]%{MONTHDAY:Day}[/-]%{MONTHNUM:Month}%{SPACE}%{TIME:logentryTime}%{SPACE}%{DATA:utctime}%{SPACE}[%{DATA:machine}]%{SPACE}[%{INT:threadid}]%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}[%{DATA:className}]%{SPACE}[%{DATA:corrid}]%{SPACE}%{GREEDYDATA:logdetails}",
"message","(?m)%{YEAR:Year}[/-]%{MONTHNUM:Month}[/-]%{MONTHDAY:Day}%{SPACE}%{TIME:logentryTime}%{SPACE}[%{INT:threadid}]%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{DATA:className}%{SPACE}[%{DATA:corrid}]%{SPACE}%{GREEDYDATA:logdetails}"]
}
mutate{
gsub => ["source", "[\\]", "/"]
add_field => [ "logDateTime", "%{Year}-%{Month}-%{Day} %{logentryTime}" ]
split => [ "source", "/" ]
add_field => [ "ServiceName", "%{[source][2]}" ]
}
date{
match => [ "logDateTime" , "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch_java {
// server details etc
}
}