Grok: identify start of multiline message inside a line

crebegea · February 23, 2017, 12:06pm

Hi,

I am having serious problems parsing some logs of ours. The Problem is that the messages, which are also multiline, begin in the middle of the line. There is a workable pattern for the beginning of the message but how can I instruct logstash to correctly cut the message?

the log looks something like this:
{code}
beginmessage:restofthemessage:otherinfo
#0stack
#1stackbeginmessage:rest....
{code}

trying something like
{code}
multiline {
pattern => "begin*"
negate => true
what => previous
}
{code}
doesn't work.

Is it even possible to parse this?

magnusbaeck · February 23, 2017, 12:08pm

If you change the pattern to ^beginmessage: I don't see why it shouldn't work.

crebegea · February 23, 2017, 12:10pm

Thanks for the reply. It doesn't work though, as the begin pattern is not placed at the beginning of the line.

crebegea · February 23, 2017, 12:44pm

I kinda got something. With:

%{GREEDYDATA:lasthalf}begin:%{GREEDYDATA:firsthalf}

I could get the right parts of the message. Problem is now that they are intermingled. How can I form an entry using the lasthalf from the last message and the firsthalf from the current one?

Topic		Replies	Views
Multiline Logstash	10	1251	July 6, 2017
_grokparsefailure using regex filter with multiline codec Logstash	5	594	April 17, 2018
How do I get first line from multiline message by using logstash 1.5? Logstash	7	4323	July 6, 2017
Question about multiline Logstash	1	317	July 27, 2019
Multiline parsing error Logstash	2	247	January 3, 2021

Grok: identify start of multiline message inside a line

Related topics