Help pattern for multiline logs

JackieLaFrite · April 17, 2023, 1:03pm

What pattern should I use to retrieve correctly multi-lines logs ?

Normally I use :

  file {
    path => "/var/log/appslogs/**/*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
	codec => multiline {
	  pattern => "^\s"
	  what => "previous"
    }
    type => "app"
  }

Here is an exemple of logs (with and without error) :

2023-02-09 00:00:03 [DEBUG] org.apache.activemq.util.ThreadPoolUtils:54 -> Forcing shutdown of ExecutorService: java.util.concurrent.ThreadPoolExecutor@646bc5f[Running, pool size = 1, active threads = 0, queued tasks = 0, completed tasks = 1] 2
2023-02-09 00:00:03 [ERROR] org.apache.camel.component.jms.DefaultJmsMessageListenerContainer:934 -> Could not refresh JMS Connection for destination 'EVENT-BUS-GET-ECHO-V1-eures-jv-batch-01' - retrying using FixedBackOff{interval=5000, currentAttempts=9124, maxAttempts=unlimited}. Cause: Error while attempting to add new Connection to the pool; nested exception is javax.jms.JMSException: Could not connect to broker URL: tcp://eures-jms:31314. Reason: java.net.UnknownHostException: eures-jms
javax.jms.JMSException: Error while attempting to add new Connection to the pool
	at org.apache.activemq.jms.pool.PooledConnectionFactory.createJmsException(PooledConnectionFactory.java:279)
	at org.apache.activemq.jms.pool.PooledConnectionFactory.createConnection(PooledConnectionFactory.java:230)
	at org.apache.activemq.jms.pool.PooledConnectionFactory.createConnection(PooledConnectionFactory.java:209)
	at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:180)
	at org.springframework.jms.listener.AbstractJmsListeningContainer.createSharedConnection(AbstractJmsListeningContainer.java:413)
	at org.springframework.jms.listener.AbstractJmsListeningContainer.refreshSharedConnection(AbstractJmsListeningContainer.java:398)
	at org.springframework.jms.listener.DefaultMessageListenerContainer.refreshConnectionUntilSuccessful(DefaultMessageListenerContainer.java:915)
	at org.springframework.jms.listener.DefaultMessageListenerContainer.recoverAfterListenerSetupFailure(DefaultMessageListenerContainer.java:890)
	at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:1061)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750) 3

But it's not working for this type of error.

Here is my grok pattern if you need it :

%{TIMESTAMP_ISO8601:time} \[%{LOGLEVEL:log_level}\] %{GREEDYDATA:message_of_log}

leandrojmp · April 17, 2023, 1:19pm

You should use the date as the multiline pattern, something like this:

pattern => "^\d{4}-\d{2}-\d{2}"

Every line that starts with a date will start the multiline, if a line does not start with a date it will e added to the previous multiline log.

JackieLaFrite · April 17, 2023, 2:22pm

It's not working :

You can see that multiple logs are retrieved as one

leandrojmp · April 17, 2023, 2:33pm

Yeah, I thought you have the negate already in your multiline configuration.

You need to have negate => true.

Try this:

        codec => multiline {
            pattern => "^\d{4}-\d{2}-\d{2}"
            negate => true
            what => "previous"
        }

JackieLaFrite · April 17, 2023, 2:41pm

Thanks, it work perfectly

system · May 15, 2023, 2:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.