Grok patter is not parsing multiline log

Nitesh_Singhal · July 15, 2024, 3:15pm

Hi, I have a log line in multiline pattern and my grok parser is only parsing one line of the log and ignoring the others. How this can be fixed to include the complete message?

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/log/file.log
  fields:
    kafka_topic_name: my_topic
    attributes.log_source: file1
  fields_under_root: true
  multiline.pattern: '^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3}'
  multiline.negate: true
  multiline.match: after

processors:
  - grok:
      when:
        equals:
          attributes.log_source: file1
      field: message
      patterns:
        - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{DATA:class} %{DATA:thread} %{GREEDYDATA:message}'

Sample log line:

2024-07-09 10:28:08.691 INFO de.connect.mv.core    [ThreatPool]   inbound Message
-------------------
ID:6
ResponseCode: 200
Encoding: null
Content-type: app/json
Header: {Date=[Tue, 09 Jul 2024 08:23 GMT],
Payload: "{cstmrdata}"

and my grok pattern is only matching following pattern of the log line:
2024-07-09 10:28:08.691 INFO de.connect.mv.core [ThreatPool] inbound Message

Topic		Replies	Views
Logstash grok pattern issue Logstash	3	341	October 9, 2019
Need to parse multi-lines log message Logstash	4	124	May 27, 2024
Unable parse multiline pattern Logstash	3	261	March 25, 2020
_grokparsefailure on file parsing Beats filebeat	8	1854	November 24, 2016
Grok filter failing multiline logs from filebeat Logstash	2	1386	August 22, 2018

Grok patter is not parsing multiline log

Related topics