Logstash multiline code pattern?

Hi,

OS: Windows7
logstash2.1
elasticsearch2.1.0

I have following log file
"01","12/1/2016 12:03:43 AM",""
"02","STW4157","2016-12-01","00:03:43"
"03","0","0","0","0","0","1","0"
"04","AP 2.0 Mail Classify P03",""
"05","2016-12-01","00:03:43","2016-12-01","00:03:44","Scan","64","STW4157","0","","0","0","0","0","0","0"
"05","2016-12-01","00:03:49","2016-12-01","00:03:57","KTM Server","64","STW4155","0","","0","0","0","0","0","0"

"01","12/1/2016 12:03:45 AM",""
"02","STW4157","2016-12-01","00:03:45"
"03","0","0","0","0","0","1","0"
"04","AP 2.0 Mail Classify P03",""
"05","2016-12-01","00:03:45","2016-12-01","00:03:46","Scan","64","STW4157","0","","0","0","0","0","0","0"
"05","2016-12-01","00:03:52","2016-12-01","00:03:59","KTM Server","64","STW4155","0","","0","0","0","0","0","0"

input{
file{
type => "logs"
path => [ "D:/chirag/Logfileanalysismonitoring/KOFAXlogs/KOFAXcapture_1612_2.log" ]
codec => multiline {
negate => true
pattern => "^\n"
what => "previous"
}
}
}

What pattern should I use inside multiline codec, The logs are separated by two newline as you can see. Can anybody help me please.

Try ^$ as the pattern.

Hi,

@magnusbaeck
I tried the pattern as you specified:-
input{
file{
type => "logs"
path => [ "D:/chirag/Logfileanalysismonitoring/KOFAXlogs/KOFAXcapture_1612_2.log" ]
codec => multiline {
negate => true
pattern => "^$"
what => "previous"
}
}
}
output{
stdout { codec=>rubydebug }
}
But logstash is not able to parse the file,

It is stuck at logstash startup completed.
What is this pattern matching ?

Have you cleared the sincedb file and set start_position => beginning?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.