Hey,
so im parsing multiline logs using filebeat and logstash.
The multline pattern is made in filebeat like this:
multiline:
pattern: '^Offset'
negate: true
match: after
one complete log looks like this:
Offset = 948639, Topic = LOGM, Source = NDM, Type = CreateSystemApiLog, Value = entry {
correlationId: "gferw|NDM-5c59f6bd-9b11-4928-b5f6-6d76bcd58cd1"
sourceId: "NDM"
entryType: REQUEST
entrySubType: END_POINT
operation: READ
user: "gferw"
host: "10.130.16.18"
uri: "/com.oiforum.json/ndm/network/1/endpoint/1311656127347565"
timestamp: "2016-11-11T11:38:24.939Z"
}
im using http://grokconstructor.appspot.com/do/match to test the grok patterns and the results are this:
Every field is parsed with grok patterns correctly, but the grokconstructor website still gives error.
when i apply the same patterns to logstash and filebeat and then visualize the data generated, it always appears with the tag "_grokparsefailure" so i have no fields from the log. Why is this happening?