Help with particular grok pattern (SOLVED)

Hi all,
i have a little problem with this type of log:

Wed Sep 20 16:02:39 2017 (186085) -7- ================= FUNCTOR WAITING FOR MSG =================
Wed Sep 20 16:02:39 2017 (284410) -7- <----------RECVFROM <- len [193] bytes
Wed Sep 20 16:02:39 2017 (340305) -7- Received():13624,0,20001,QLen is 0
Wed Sep 20 16:02:39 2017 (340329) -7- IPCMutexResource::lock
Wed Sep 20 16:02:39 2017 (340337) -7- FUNCTOR-ROW: Received pid=13624 id=0 loop=0 port=20001 queuelen=0 recv=258976 sent=258953 status=3

I'm using the followinf configuration in logstash:

filter {
grok {
match => ["message", "\A%{HTTPDERROR_DATE:timestamp} (%{NUMBER:bytes}) %{GREEDYDATA:message} "]
}
date {
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy" ]
timezone => "Europe/Rome"
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp" ]
}

I would like to have every line separate from the other, so the separator is the date, but if the timestamp is equal, i will have all messages in a single block.

Can you help me please?

It won't do that, it will treat each line as a separate event.

However your pattern isn't valid, it should be;

%{HTTPDERROR_DATE:timestamp} \(%{NUMBER:bytes}\) %{GREEDYDATA:message}

Hi all,
problem was solved.
I have for other logs the following properties enabled:
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

Disabled the rules, now logs has been processed in the right manner.
Thank's to everyone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.