Log event with multi-line

shwesinhan · February 2, 2018, 10:06am

hi there,

may i ask about multi-line pattern matching in grok filter.
in input part, i use tcp input plugin then grok in filter part.

eg:

2018-02-02 15:44:44,805 (null) 19 WARN : WEBFRORM: Somepage:: 342juajpobzxv4svu4jgt40v :: REQ: <PPRequest>
 <version>1.0</version>
 <timeStamp>020218154508</timeStamp>
 <iiid>444</iiid>
 <uniqueID></uniqueID>
 <inv>WS18020200002</inv>
 <processType>I</processType>
 <hashValue>4D83188885821DFEDB895B36E1A4DB2EF88D0608</hashValue>
 </PPRequest>
PPRequest: 27925660ms

when i grok this log event, i face _grokparsefailure
is there anyway to grok multi-line log event?

help!

magnusbaeck · February 2, 2018, 10:18am

Unless we know what your grok expression looks like we can't help.

shwesinhan · February 3, 2018, 1:13pm

this is my grok regex @magnusbaeck

if "<PPRequest>" in [message] {			
   grok {
		match => { "message" => [ "^(?<log_timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?(?<threadno>\d+).*?%{WORD:log_level}.*?Somepage\s{0,}::\s+(?<session_id>.*?)\s{0,}::\s{0,}:REQ:.*?<iiid>(?<mid>.*?)</iiid>.*?<inv>(?<invoice_id>.*?)</inv>"]}
		add_field => { "log_type" => "PREQUEST" }
	}	
}

magnusbaeck · February 4, 2018, 9:05pm

Try prepending your expression with (?m). See example at https://stackoverflow.com/a/28231905/414355.

shwesinhan · February 26, 2018, 6:10am

By using (?m) flag is only ok at https://grokdebug.herokuapp.com/
But when i use actual logstash conf, it doesn't work.

system · March 26, 2018, 6:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.