Grok Filter Logstash Multiple Lines

lavolpem · July 23, 2017, 10:40am

I have some problem about the log's format that I had to parse. My logs have a format like this:
`==================================================================
Report : WARNING
Date : Thu Jun 18 16:52:54 2017
Description : Did not install signal handlers to cleanup resources.
Node : swim-host
Process : java <14517>
Thread : main thread 40ea6940
Internals : V6.3.130716OSS

Report : INFO
Date : Thu Jun 18 16:52:59 2017
........ .........`
and following like that. So in my case the separator between the single instances is the sequence of 88 "=". But grok filter considers by default as separator the end of line. So when I start logstash I have a grokparsefailure because it applies the grok filter, that I wrote for the entire instance, to just one line. For example if I try to parse a .log file whit just one instance of collected data and I start logstash I have 8 grokparsefailure, one for each line. I tried with the codec multiline or the gsub mutate filter but I couldn't solve the problem. How can I solve the issue?

marcelo · July 23, 2017, 9:49pm

Try this grok filter

^================================================================== 
Report : %{NOTSPACE:Report}
Date : %{DAY:day} %{MONTH:month} %{MONTHDAY:day} %{TIME:hour} %{YEAR:year}
Description : %{DATA:Description}.
Node : %{NOTSPACE:node}
Process : %{DATA:Process}
Thread : %{DATA:Thread}
Internals : %{NOTSPACE:Internals}

works on https://grokdebug.herokuapp.com/ with:

INPUT:

================================================================== 
Report : WARNING
Date : Thu Jun 18 16:52:54 2017
Description : Did not install signal handlers to cleanup resources.
Node : swim-host
Process : java <14517>
Thread : main thread 40ea6940
Internals : V6.3.130716OSS

PATTERN:

^================================================================== 
Report : %{NOTSPACE:Report}
Date : %{DAY:day} %{MONTH:month} %{MONTHDAY:day} %{TIME:hour} %{YEAR:year}
Description : %{DATA:Description}.
Node : %{NOTSPACE:node}
Process : %{DATA:Process}
Thread : %{DATA:Thread}
Internals : %{NOTSPACE:Internals}

RESULT:

    {
  "Report": [
    [
      "WARNING"
    ]
  ],
  "day": [
    [
      "Thu"
    ],
    [
      "18"
    ]
  ],
  "month": [
    [
      "Jun"
    ]
  ],
  "hour": [
    [
      "16:52:54"
    ]
  ],
  "HOUR": [
    [
      "16"
    ]
  ],
  "MINUTE": [
    [
      "52"
    ]
  ],
  "SECOND": [
    [
      "54"
    ]
  ],
  "year": [
    [
      "2017"
    ]
  ],
  "Description": [
    [
      "Did not install signal handlers to cleanup resources"
    ]
  ],
  "node": [
    [
      "swim-host"
    ]
  ],
  "Process": [
    [
      "java <14517>"
    ]
  ],
  "Thread": [
    [
      "main thread 40ea6940"
    ]
  ],
  "Internals": [
    [
      "V6.3.130716OSS"
    ]
  ]
}

CDR · July 24, 2017, 7:11pm

Can you post your configuration file? Also, are you wanting to group the message in between the = signs as one event or each line seperate?

system · August 21, 2017, 7:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Parse string data with ; separator in logstash Logstash	6	6006	June 27, 2017
Multiline Gets Cutoff For No Reason (so strange) Logstash	5	1098	July 6, 2017
Multiple grok filter Logstash	16	23661	October 3, 2017
Parsing Log With grok Filter Logstash	11	3758	May 9, 2017

Grok Filter Logstash Multiple Lines

Related topics