Logs on two lines

Hi,

I am trying to get logs whose are on two different lines :

[2019-06-18T06:57:32.032Z] [org.kie.api.internal.utils.tydhiks] [main] [141] [INFO ]
Adding Service org.drools.core.concurrent.EEEeeF

In my logstash I tried :

 grok {
      patterns_dir => "/u01/app/elk-config/logstash/patterns"
          match => ["message", "(?m)\[(?<timestamp>%{TIMESTAMP_ISO8601})\]\[%{DATA:servlet}\]\[%{WORD:branch}\]\[%{DATA:PID}\]\[%{DATA:level}\]%{DATA:log_message}"]
     }

but it does not take the second line in the same json and I've got a "_grokparsefailure" on my field log_message.

I tried :

    filter {
        mutate {
           gsub => ["message", "\s\n*", ""]
       }
    }

but it does not change anything
Do you have an idea ?
Thanks

Are both lines part of the same event?

Yes it’s the same event

DATA does not match newlines. Try

match => ["message", "^\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:servlet}\] \[%{WORD:branch}\] \[%{DATA:PID}\] \[%{DATA:level}\]%{GREEDYDATA:log_message}"]

No It's the same issue my log message is split .

Hi,

Have a look at this. Sounds similar to what you are trying to achieve
https://www.elastic.co/guide/en/logstash/current/multiline.html#_timestamps

Thanks, it helped me ! My events was not good

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.