Issue with file input multiline codec

sjivan · November 16, 2016, 4:50pm

Hi,
I have a log file that has I need to support multiline parsing and I'm in the process of migrating from multiline filter to multiline codec

My input configuration is

file {
    path => "c:/temp/test.log"
    start_position => beginning
    sincedb_path => "NUL"
    ignore_older => 0
    codec => multiline {
        pattern => "^%{MONTHDAY} %{MONTH} %{YEAR} %{TIME}"
        negate => true
        what => previous
    }       
}

When the log file has

28 Oct 2016 19:35:48:Log Message 1
28 Oct 2016 19:35:48:Log Message 2

the output containts only the first message

{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:44:07.738Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 1\r",
          "tags" => []
}

When the log file has

28 Oct 2016 19:35:48:Log Message 1
28 Oct 2016 19:35:48:Log Message 2
28 Oct 2016 19:35:48:Log Message 3a
   Message 3b
28 Oct 2016 19:35:48:Log Message 4

the output has the first three messages but is missing Message 4

{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.398Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 1\r",
          "tags" => []
}
{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.403Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 2\r",
          "tags" => []
}
{
          "path" => "c:/temp/test.log",
    "@timestamp" => 2016-11-16T16:45:13.404Z,
      "@version" => "1",
          "host" => "myhost",
       "message" => "28 Oct 2016 19:35:48:Log Message 3a\r\n   Message 3b\r",
          "tags" => [
        [0] "multiline"
    ]
}

Any suggestions would be appreciated.

Using LS 5.0

Thanks,
Sanjiv

sjivan · November 17, 2016, 12:48pm

I found a related issue https://github.com/logstash-plugins/logstash-input-file/issues/90 which mentions that auto_flush needs to be set via the auto_flush_interval codec parameter. Once I set auto_flush_interval => 3 I observed the desired behavior.

file {
    path => "c:/temp/test.log"
    start_position => beginning
    sincedb_path => "NUL"
    ignore_older => 0
    codec => multiline {
        pattern => "^%{MONTHDAY} %{MONTH} %{YEAR} %{TIME}"
        negate => true
        what => previous
        auto_flush_interval => 3
    }       
}

system · December 15, 2016, 12:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash input file codec multiline not working as expected Logstash	4	3022	July 6, 2017
Question about Multiline codec in combining the lines Logstash	6	1685	July 6, 2017
Multiline codec with file input Logstash	5	413	June 21, 2018
Multiline codec/filter not working Logstash	3	537	July 6, 2017
Logstash input multiline codec Entire file is getting merged into single line Logstash	2	465	May 1, 2020

Issue with file input multiline codec

Related topics