Grok: identify start of multiline message inside a line

crebegea · February 23, 2017, 12:06pm

Hi,

I am having serious problems parsing some logs of ours. The Problem is that the messages, which are also multiline, begin in the middle of the line. There is a workable pattern for the beginning of the message but how can I instruct logstash to correctly cut the message?

the log looks something like this:
{code}
beginmessage:restofthemessage:otherinfo
#0stack
#1stackbeginmessage:rest....
{code}

trying something like
{code}
multiline {
pattern => "begin*"
negate => true
what => previous
}
{code}
doesn't work.

Is it even possible to parse this?

magnusbaeck · February 23, 2017, 12:08pm

If you change the pattern to ^beginmessage: I don't see why it shouldn't work.

crebegea · February 23, 2017, 12:10pm

Thanks for the reply. It doesn't work though, as the begin pattern is not placed at the beginning of the line.

crebegea · February 23, 2017, 12:44pm

I kinda got something. With:

%{GREEDYDATA:lasthalf}begin:%{GREEDYDATA:firsthalf}

I could get the right parts of the message. Problem is now that they are intermingled. How can I form an entry using the lasthalf from the last message and the firsthalf from the current one?

system · March 23, 2017, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.