Hi All, Please help to resolve this issue. Due to line break after "Command Line : test" in the log data is not coming to single object

log data

Job Id : 181202632
Job Name : yutrw
Batch Id : 181202632
Command Line : test

Execution User : WINNTDOM
Execution Queue : General

output
{
Job Name : yutrw
Batch Id : 181202632
Command Line : test
}
{
Execution User : WINNTDOM
Execution Queue : General
}

expecting like single object
{
Job Name : yutrw
Batch Id : 181202632
Command Line : test
Execution User : WINNTDOM
Execution Queue : General
}

Logstash configuration

input {
file {
path => "/logstash/data/test.log"
start_position => "beginning"
sincedb_path => "nul"
codec => multiline {
pattern => "^\s"
negate => true
what => "previous"
}
}
}

filter {
if ":" not in [message] or "*" in [message] or "Note" in [message]
{
drop{}
}
mutate{
gsub=>["message","\r",""]
}
grok{
match=>{"message"=>{ %{GREEDYDATA:errordetails}"}}
}
kv {
field_split => "\n"
value_split => ":"
source => "message"
}
mutate {
remove_field => [ "message" ]
}

mutate {
remove_tag => [ "multiline" ]
}

mutate {
remove_field => [ "tags" ]
}

mutate {
remove_field => [ "@version" ]
}
}

output {
elasticsearch { hosts => ["localhost:9200"]
index => "ActiveBatchLog"
document_type => "ActiveBatchLog"
}
stdout { codec => rubydebug }
}

REs

It looks like you have an empty line that causes the multi line codec to trigger. How do you differentiate between the two empty lines? What does a larger sample of the log looks like?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.