Https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html


(Reuben Puketapu) #1
filter {
multiline {
    type => "somefiletype"
    pattern => "\\$"
    what => "next"
  }
}

There is no explanation around what the "type" should be?? Just an update to the documentation.

Is it possible to match on a particular field i.e. specify to use the "message" part of the log.

Thanks


(Magnus Bäck) #2

There is no explanation around what the "type" should be?? Just an update to the documentation.

Yeah, that's outdated stuff. Probably a copy/paste mistake from the multiline filter docs. It was corrected in https://github.com/logstash-plugins/logstash-codec-multiline/commit/9d4f079dde13c34a24132d9b811364f60c3ad72b but that commit obviously hasn't reached the elastic.co page you looked at.

Is it possible to match on a particular field i.e. specify to use the "message" part of the log.

In the codec context you basically just have one field (message) so choosing which field to act on doesn't really make sense.


(Reuben Puketapu) #3

Thanks, Magnus.

Trying to work out how I can merge two logs together in the filter stage, as it cannot be done in the input..
This is because I have to pull the actual log from a field within the message.

Original

2016-12-21T01:39:29Z	fluentd	{"log":"Traceback (most recent call last):\n","stream":"stderr","docker":{"container_id":"7a9b54502ad3c2664b93f3f5defce53e6243da995b17a246etc.........}

turns into:

 Traceback (most recent call last):

which then needs to be merged with another message:

Original:

2016-12-21T01:39:29Z	fluentd	{"log":"    return self.run(*args, **kwargs)\n","stream":"stderr","docker":{"container_id":"7a9b54502ad3c2664b93f3f5defce53e6243da995b17a2........etc}}

turns into:

	    return self.run(*args, **kwargs)

ie a python trace that's already inside of a field.

Ideal outcome:

Traceback (most recent call last):
    return self.run(*args, **kwargs)
    raise HTTPError(http_error_msg, response=self)
etc.....

Thanks again!


(Magnus Bäck) #4

Oh, that's painful. Can't you fix the problem at the source and get it to emit reasonable log messages? If not I probably wouldn't use Logstash to untangle the log but rather use something else and have Logstash process the results.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.