How to parsing multiline messages with conditionals issues in Logstash?

Kennedy_Kan1 · July 12, 2016, 2:36am

I have a log file reading through the ftp process and I am using logstash to ingest the data.

A sample record is like that

Enter an FTP subcommand.
> PUT REPE533 AMTD_Statusfile.txt
227 Entering Passive Mode (10,133,104,90,7,136).
125 Data connection already open; Transfer starting.
226 Transfer complete.
157320 bytes transferred in 0.005 seconds. Transfer rate 32219.137 KB/sec.
Enter an FTP subcommand.
> QUIT

I just want to extract the message PUT REPE533 AMTD_Statusfile.txt and Transfer complete How should I grok the message with logstash? Here is the filter part of my config file.

if ([message] =~ /PUT/){
    multiline{
        pattern => "> "
        what => "next"
    }
	grok{
		match => {"message" => ['> %{GREEDYDATA: Command}\r\n%{GREEDYDATA:Message}\r\n%{SPACE}Enter an FTP subcommand.'] }
	}
	if ([Message] =~ /(Transfer Complete)/){    		
		mutate {
			add_field => {"Status" => "Transfer Complete"}
			add_tag => "send_to_es"
		}
	}
	mutate {
		remove_field => "%{Message}"
		add_tag => "send_to_es"
	}
}

magnusbaeck · July 12, 2016, 5:45am

Again, I suspect the aggregate filter will help you.

Kennedy_Kan1 · July 12, 2016, 6:21am

Sorry, I could not understand how aggregate plugin can help me. Currently, I can extract the message separately if I did not use multiline function. However, when I use multiline function and try to group the message together into grok for analysis, it will just ignore the multiline pattern and read back the lines as a single message. How should I combine them as a message?