Help with Multiline

debarun · October 20, 2016, 7:55am

Hi ,

I just came across an event where the log lines are of the format:

Date:2016-10-18
Time:14:31:05
Event Code:0x60a
Description:Internal information only. A logical unit has been enabled
Subsystem:CKM00124801986
Device:Bus 1 Enclosure 4 Disk 10
SP:SPA
Host:localhost
Source:N/A
Category:N/A
Log:Storage Array
Sense Key:0x0
Ext Code1:0x1cb01c4
Ext Code2:0x1e57140a
Type:Information

But i just cant get the multiline to work for this.

I tried:-
%{NUMBER}.\nDate:%{DATE_YMD}

Please help.

debarun · October 21, 2016, 9:47am

Hi,

Any help is appreciated.

Regards,
Debarun.

magnusbaeck · October 23, 2016, 4:54pm

Is "1." the indicator that a new message begins? If so,

pattern => "^1\.$"
negate => true
what => previous

should work, i.e. "unless the line begins with '1.', join it with the previous line".

debarun · October 24, 2016, 7:21am

HI,

The loglines progress as 1. then 2., 3. and so on.

Regards,
Debarun.

magnusbaeck · October 24, 2016, 10:41am

Okay, so use ^\d+\.$ then.

Topic		Replies	Views
How to handle multi line logs in logstash Logstash	5	662	November 21, 2018
Multiline filter and dateparse issue in production Logstash	12	3285	July 6, 2017
Parsing multiline log Logstash	1	357	October 20, 2018
Multiline log problem Logstash	1	231	January 1, 2019
Logstash date extraction help Logstash	3	612	December 26, 2016

Help with Multiline

Related topics