Logs on two lines

kentatoi · June 27, 2019, 7:47pm

Hi,

I am trying to get logs whose are on two different lines :

[2019-06-18T06:57:32.032Z] [org.kie.api.internal.utils.tydhiks] [main] [141] [INFO ]
Adding Service org.drools.core.concurrent.EEEeeF

In my logstash I tried :

 grok {
      patterns_dir => "/u01/app/elk-config/logstash/patterns"
          match => ["message", "(?m)\[(?<timestamp>%{TIMESTAMP_ISO8601})\]\[%{DATA:servlet}\]\[%{WORD:branch}\]\[%{DATA:PID}\]\[%{DATA:level}\]%{DATA:log_message}"]
     }

but it does not take the second line in the same json and I've got a "_grokparsefailure" on my field log_message.

I tried :

    filter {
        mutate {
           gsub => ["message", "\s\n*", ""]
       }
    }

but it does not change anything
Do you have an idea ?
Thanks

Badger · June 27, 2019, 8:27pm

Are both lines part of the same event?

kentatoi · June 27, 2019, 10:34pm

Yes it’s the same event

Badger · June 27, 2019, 10:49pm

DATA does not match newlines. Try

match => ["message", "^\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:servlet}\] \[%{WORD:branch}\] \[%{DATA:PID}\] \[%{DATA:level}\]%{GREEDYDATA:log_message}"]

kentatoi · June 28, 2019, 12:17pm

No It's the same issue my log message is split .

sjabiulla · June 28, 2019, 12:23pm

Hi,

Have a look at this. Sounds similar to what you are trying to achieve
https://www.elastic.co/guide/en/logstash/current/multiline.html#_timestamps

kentatoi · June 28, 2019, 3:21pm

Thanks, it helped me ! My events was not good

system · July 26, 2019, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.