Grok patter is not parsing multiline log

Nitesh_Singhal · July 15, 2024, 3:15pm

Hi, I have a log line in multiline pattern and my grok parser is only parsing one line of the log and ignoring the others. How this can be fixed to include the complete message?

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/log/file.log
  fields:
    kafka_topic_name: my_topic
    attributes.log_source: file1
  fields_under_root: true
  multiline.pattern: '^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3}'
  multiline.negate: true
  multiline.match: after

processors:
  - grok:
      when:
        equals:
          attributes.log_source: file1
      field: message
      patterns:
        - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{DATA:class} %{DATA:thread} %{GREEDYDATA:message}'

Sample log line:

2024-07-09 10:28:08.691 INFO de.connect.mv.core    [ThreatPool]   inbound Message
-------------------
ID:6
ResponseCode: 200
Encoding: null
Content-type: app/json
Header: {Date=[Tue, 09 Jul 2024 08:23 GMT],
Payload: "{cstmrdata}"

and my grok pattern is only matching following pattern of the log line:
2024-07-09 10:28:08.691 INFO de.connect.mv.core [ThreatPool] inbound Message

Topic		Replies	Views
Need to parse multi-lines log message Logstash	4	122	May 27, 2024
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Grok pattern to match Filebeat multiline input up to the first new line character Logstash	6	986	November 26, 2020
How to grok those multiline log syntax? Logstash	3	253	October 8, 2022
Multiline filter fails on one record when handling a large file Logstash	12	3280	July 6, 2017

Grok patter is not parsing multiline log

Related Topics