I have a log file in which i will search with a specific word which will give me that line but i need to get whole message. (started from "waiting for message" to another "waiting for message")

osamaikhlas · October 22, 2018, 10:42am

18/07/04 00:00:00 | main Waiting For A Message...
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230]
18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessageXLI-38159714: DE-015 4:[0704]
18/07/04 00:00:00 | main Waiting For A Message...
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230] 18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-015 4:[0704]
18/07/04 00:00:00 | main Waiting For A Message...
18/07/04 00:00:00 | main Waiting For A Message...
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230]
18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-015
4:[0704] 18/07/04 00:00:00 | main Waiting For A Message...

nugusbayevkk · October 22, 2018, 11:30am

hi,
i think that you should parse you log file and then insert it to elasticsearch,
you can use filebeat or logstasg, below is an example conf of filebeat:

Multiline options

multiline.pattern: .*Waiting For A Message.*
multiline.negate: true
multiline.match: before

osamaikhlas · October 22, 2018, 12:15pm

In first picture I have edit the multiline option in filebeat config file

In second picture when I search from "osama" it will just get me that particular line not the entire message

its not working i want the whole message
Thanks in advance

nugusbayevkk · October 22, 2018, 4:04pm

you should delete one of the parameters: multiline.match and set after or before
and try to change pattern with starting ^

filebeat.yml:

filebeat.prospectors:

type: log
enabled: true
paths:

/var/log/nginx/*

multiline.pattern: "^.*This is a new row.*"
multiline.negate: true
multiline.match: before

and used next test data:

18/07/04 00:00:00 | main This is a new row....
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230]
18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessageXLI-38159714: DE-015 4:[0704]
18/07/04 00:00:00 | main This is a new row....
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230] 18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-015 4:[0704]
18/07/04 00:00:00 | main This is a new row....
18/07/04 00:00:00 | main This is a new row....
18/07/04 00:00:00 | main G_GetMsg XLI-38159714: Message Length Received [230]
18/07/04 00:00:00 | main XLI-38159714: MessageSource [0028]
18/07/04 00:00:00 | main company
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-011 6:[234548]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-012 6:[234748]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-013 4:[0703]
18/07/04 00:00:00 | ProcessMessage XLI-38159714: DE-015
4:[0704] 18/07/04 00:00:00 | main This is a new row....

osamaikhlas · October 23, 2018, 7:27am

after editing in filebeat file kibana is not loading the latest the file which i have edited in my folder and filebeat status failed to start. please help out. Thanks

nugusbayevkk · October 23, 2018, 9:06am

can you send your filebeat.yml?
to kanagat.nugusbayev@gmail.com

osamaikhlas · October 23, 2018, 9:15am

its resolve thanks a lot its very helpful.
Now i need to know can i break the line when the next line starts while seeing the messages on kibana
Thanks Man in Advance

Topic		Replies	Views
ElasticSearch removing message after new line character Elasticsearch	1	954	May 11, 2017
Filebeat send the entire logfile as a single message Beats filebeat	2	5645	March 9, 2018
Multiline conf file to parse log file to elasticsearch Logstash	5	1907	July 6, 2017
Create full single log file in one message event through filebeat? Beats filebeat	3	1482	April 5, 2018
How to make filebeat multiline plugin send the unmatched logs Beats filebeat	4	1420	March 8, 2018

I have a log file in which i will search with a specific word which will give me that line but i need to get whole message. (started from "waiting for message" to another "waiting for message")

Multiline options

Related topics