Logstash multiline Bug

KarouiMourad · January 6, 2016, 9:22am

Hello,

I have a problem to parse this type of log :

2015-12-05 20:08:17,689 INFO applicationhistoryservice.ApplicationHistoryServer (LogAdapter.java:info(45)) - STARTUP_MSG:
/************************************************************
STARTUP_MSG: Starting ApplicationHistoryServer
STARTUP_MSG: host = centos1/10.0.0.4
STARTUP_MSG: args = []
STARTUP_MSG: version = 2.7.1.2.3.2.0-2950

When i use this site : http://grokconstructor.appspot.com/
and i put those logs and i put this pattern :

%{TIMESTAMP_ISO8601} %{LOGLEVEL} %{DATA:service} (%{DATA:what}) - STARTUP_MSG:\n%{DATA:delete}\nSTARTUP_MSG: Starting %{DATA:starting}\nSTARTUP_MSG: host = %{DATA:host}\nSTARTUP_MSG: args = %{DATA:args}\nSTARTUP_MSG: version = %{GREEDYDATA:version}

and for the multiline i use the "^%{TIMESTAMP_ISO8601} " pattern and negate to true
and this works perfectly.

But with logstash it doesn't work at all.
Please i need help.
Thank you in advance.

magnusbaeck · January 6, 2016, 11:28am

I think you need to prepend the grok expression with (?m) so that the regexp engine doesn't consider a newline character as the end of the string. See http://stackoverflow.com/a/28231905/414355 for an example.