Log lines are clumped even after correct grok and multine pattern added

Mehak_Bhargava · May 27, 2020, 4:12am

I have tested both my grok pattern and multiline pattern for this log file but in Kibana, some log files are getting combined and not able to separate. Looks like this

May 26th should be considered as start of log line and they should all be individual entries rather than all together.
Below is sample data

May 26, 2020  11:30:50 029864 INFO       Rolled back Trans(qrt).
May 26, 2020  11:30:51 0250D4 ERROR      Execution failed for the view 'Uptime Graphic' (ExecFrequency = 30 secs) in 0 ms. Error: Failed to create the table for local view: Uptime Graphic. SQL: {CREATE TABLE [dbo].[LOCALVIEW_150] ([Porcentaje] [float] NULL, [Estado] [varchar](12) NULL, [TenantId] [int] NULL, [Formatting] VARCHAR(4000) NULL)} Error: Error during query execution(qrt). More information:  State:S0001,Native:2714,Origin:[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]
, There is already an object named 'LOCALVIEW_150' in the database.

May 26, 2020  11:30:52 0250D4 INFO       Thread stopped gracefully and removed from pool since there was an error in execution
May 26, 2020  11:30:52 029510 INFO       Rolled back Trans(qrt).
May 26, 2020  11:30:53 022C10 INFO       Processing for Policy not in schedule.
May 26, 2020  11:30:53 0250D4 ERROR      Execution failed for the view 'ATMs with RMM Agent' (ExecFrequency = 300 secs) in 0 ms. Error: Failed to create the table for local view: ATMs with RMM Agent. SQL: {CREATE TABLE [dbo].[LOCALVIEW_146] ([AtmKey] [bigint] NULL, [Terminal ID] [nvarchar] (256) NULL, [Formatting] VARCHAR(4000) NULL)} Error: Error during query execution(qrt). More information:  State:S0001,Native:2714,Origin:[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]
, There is already an object named 'LOCALVIEW_146' in the database.

May 26, 2020  11:30:54 022C10 INFO       Query Execution Time for policy "Terminals Down by Device Handler": 0 (ms)
May 26, 2020  11:30:54 022C10 INFO       Processing policy "Terminals Down by Device Handler" for action type: 3
May 26, 2020  11:30:54 022C10 INFO       Processed policy "Terminals Down by Device Handler" for action type: 3 successfully.
May 26, 2020  11:30:54 022C10 INFO       Inconsistency/Sanity check for Centralview/policyresult mismatch finished successfully for: Terminals Down by Device Handler.
May 26, 2020  11:30:54 022C10 INFO       Successfully processed the view action for policy: Terminals Down by Device Handler in 32 ms
May 26, 2020  11:30:54 022C10 INFO       Query Execution Time for policy "Terminals Down By Line Handler": 0 (ms)
May 26, 2020  11:30:54 022C10 INFO       Processing policy "Terminals Down By Line Handler" for action type: 3
May 26, 2020  11:30:54 022C10 INFO       Processed policy "Terminals Down By Line Handler" for action type: 3 successfully.
May 26, 2020  11:30:54 022C10 INFO       Inconsistency/Sanity check for Centralview/policyresult mismatch finished successfully for: Terminals Down By Line Handler.

Grok

(?<timestamp>%{MONTH} %{MONTHDAY}, %{YEAR}%{SPACE}%{TIME}) %{NOTSPACE} %{NOTSPACE:loglevel} %{GREEDYDATA:logmessage}

Multiline

  multiline.pattern: '^%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}?'
  multiline.negate: true
  multiline.match: after

Mehak_Bhargava · May 28, 2020, 4:38pm

Found a fix for multiline pattern-

^(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aaa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)

mancharagopan · May 28, 2020, 6:23pm

great you've found it on your own. Keep working

Mehak_Bhargava · May 28, 2020, 8:01pm

@mancharagopan it didnt work either actually. So I am not sure that why after right multiline pattern, log lines arent collecting based on timestamp. What could be the reason?

system · June 25, 2020, 8:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.