Discuss the Elastic Stack

Grok pattern to read the testname in a multiline logfile

Elastic Stack Logstash

sharath3185 (Sharath) October 18, 2016, 6:03am 1

Hi I am trying to fetch the testnames from a multiline logfile using logstash.
Below is the sample:

testname1.sh
DH no
TIMESTAMP 1454774186
LASTSTATION xxx
LASTPASS 1454774186
PASSNUM 1500
PASSSTATION xxx
TESTDURATION 286
TIMESRUN 1500
STATUS PASSED

testname2.sh
TIMESTAMP 1454775151
LASTSTATION xxx
LASTPASS 1454775151
PASSNUM 1498
PASSSTATION xxx
TESTDURATION 229
TIMESRUN 1498
STATUS PASSED

testname3.sh
DH no
PRIORITY HIGH
LASTPASS 1454567890
PASSNUM 1483
PASSSTATION xxx
TESTDURATION 33796
TIMESRUN 1483
TIMESTAMP 1454771355
STATUS RUNNING
LASTSTATION yyy

I need to extract testname1.sh, testnam2.sh and testname3.sh and index it into 1 document in Elasticsearch

I tried different patterns , but nothing seems to be working
Few things i tried
grok
{
match => [
"message", "%{GREEDYDATA:testname}.sh"
]
}

Also, I tried usng multiline filter to read compelte file with the below pattern
multiline {
pattern => "/.*./gm"
negate => true
what => "previous"
}
and tried to use the .sh string, but did not work

COuld someone please help me out on how to retrieve the testnames from the above sample?

magnusbaeck (Magnus Bäck) October 20, 2016, 7:45pm 2

pattern => "/.*./gm"

This searches for lines that literally begin with "/" and end with "/gm". Try replacing it with ^$, expressing "if the line isn't empty, join with the previous line".

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.