Issue with file input multiline codec

sjivan · November 16, 2016, 4:50pm

Hi,
I have a log file that has I need to support multiline parsing and I'm in the process of migrating from multiline filter to multiline codec

My input configuration is

file {
    path => "c:/temp/test.log"
    start_position => beginning
    sincedb_path => "NUL"
    ignore_older => 0
    codec => multiline {
        pattern => "^%{MONTHDAY} %{MONTH} %{YEAR} %{TIME}"
        negate => true
        what => previous
    }       
}

When the log file has

28 Oct 2016 19:35:48:Log Message 1
28 Oct 2016 19:35:48:Log Message 2

the output containts only the first message

{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:44:07.738Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 1\r",
          "tags" => []
}

When the log file has

28 Oct 2016 19:35:48:Log Message 1
28 Oct 2016 19:35:48:Log Message 2
28 Oct 2016 19:35:48:Log Message 3a
   Message 3b
28 Oct 2016 19:35:48:Log Message 4

the output has the first three messages but is missing Message 4

{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.398Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 1\r",
          "tags" => []
}
{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.403Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 2\r",
          "tags" => []
}
{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.404Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 3a\r\n   Message 3b\r",
          "tags" => [
        [0] "multiline"
    ]
}

Any suggestions would be appreciated.

Using LS 5.0

Thanks,
Sanjiv

sjivan · November 17, 2016, 12:48pm

I found a related issue https://github.com/logstash-plugins/logstash-input-file/issues/90 which mentions that auto_flush needs to be set via the auto_flush_interval codec parameter. Once I set auto_flush_interval => 3 I observed the desired behavior.

file {
    path => "c:/temp/test.log"
    start_position => beginning
    sincedb_path => "NUL"
    ignore_older => 0
    codec => multiline {
        pattern => "^%{MONTHDAY} %{MONTH} %{YEAR} %{TIME}"
        negate => true
        what => previous
        auto_flush_interval => 3
    }       
}

system · December 15, 2016, 12:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add multiline codec issue on logstash Logstash	6	321	June 27, 2023
Logstash 5.1 - Multiline codec with file input Logstash	3	1962	February 9, 2017
Multiline codec reading entire log file as one line Logstash	1	1188	June 20, 2017
Logstash file input/output with multiline codec Logstash	9	1351	April 16, 2021
Logstash multiline codec plugin Logstash	4	260	July 16, 2018

Issue with file input multiline codec

Related topics