Logstash multiline and clone

adrianfusco · December 5, 2022, 3:18pm

I am sending some information from filebeat using one kind of multiline pattern.

At some point, I realized I need to use another multiline pattern based on the log_source.

My idea was clone the beat and if the log_source match the one I need and the type is clone, apply another multiline pattern on this one to send the information into different documents and not a single one into another index.

The thing is that I think I should apply it in the filtering side for being able to do it, but this plugin has been deprecated: Multiline filter plugin | Logstash Reference [8.5] | Elastic

Something like this:

input {
    beats {
        port => 5044
    }
}

filter {
    if [log_source] == "logs_for_filter" {
        clone  {
            clones => ["cloned_logs_for_filter"]
        }
    }
    
    if [type] == "cloned_logs_for_filter" {
        multiline {
            pattern => "(^<case)"
            negate => true
            what => previous
        }
    }
    if [log_source] == "logs_for_filter" and "cloned_logs_for_filter" not in [type] {
       # do things
    }
}
output {
    stdout {
        codec => rubydebug
    }
    if [type] == "cloned_logs_for_filter" {
        elasticsearch {
            hosts => "elasticsearch:9200"
            index => "index_2"
        }
    }
    else {
        elasticsearch {
            hosts => "elasticsearch:9200"
            index => "index_two"
        }
    }
}

Do you think there's another way to do it? Thank you.

leandrojmp · December 5, 2022, 4:26pm

It won't work this way.

You need to configure multiline in the source, in this case, you need to configure it in beats.

The best option would be to use a different log input for each kind of multiline you have.

adrianfusco · December 5, 2022, 4:28pm

That's another good solution @leandrojmp thank you very much.

--

At the end I've applied the split plugin

        split {
            field => "message"
            terminator => "
"
        }

And then pass the grok filter in each one of them. At this way it's storing each match in different documents.

system · January 2, 2023, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash to handle multiline input from Filebeat Logstash	5	1114	December 23, 2021
Multiline codec in if else condition in beat input of logstash Logstash	8	2523	January 15, 2018
Filebeat multiline works as single liners Beats filebeat	2	581	March 4, 2019
Filebeat is sending multiple messages to elasticsearch Beats	1	432	December 3, 2019
Filebeat 1.2.0. multiline Beats filebeat	12	2173	July 5, 2017

Logstash multiline and clone

Related Topics