Hyphen-minus with a new line

Burga · June 10, 2020, 9:36am

Hi , I'm trying to grok log with a multiple lines and Hyphen-minus and got stuck

2020-06-10 10:06:59,821 WARN [ImageFilterEffect:thread-1] [confluence.image.effects.ImageFilterTask] rotateWhenExifExist Could not retrieve exif info.
 -- url: /confluence/download/attachments/125736733/hardware%20certification.jpg | referer: https://wiki.checkpoint.com/confluence/ | traceId: 031d85ca5d5db288 | userName: roniz

here "-- url" is already a new line

my grok filter is

(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} \[%{DATA:thread}\] \[%{DATA}\] %{SPACE}%{WORD}%{SPACE}%{DATA:Error}\.

please need your assistance .

andres-perez · June 10, 2020, 11:57am

Hi!

I don't know about your multiline configuration and intended use case (what to do with the second line with hyphen - minus. " -- url: ..." line.

Anyway, there is a blank space before the %{SPACE}%{WORD}%{SPACE} so your pattern looks for 2 spaces before a word instead of just 1.

You can check it https://grokconstructor.appspot.com/do/match , it's a good idea to start adding elements one by one to your pattern and confirm that they are working as intended.

Topic		Replies	Views
Log event with multi-line Logstash	5	522	March 26, 2018
Multiline pattern with grok filter Logstash	2	1549	July 6, 2017
Logs on two lines Logstash	7	608	July 26, 2019
Grok multiline parse failures Logstash	7	4860	November 17, 2017
How to use multiline to break up messages delimited with - (hyphen) Logstash	3	828	July 6, 2017

Hyphen-minus with a new line

Related topics