All logging lines/events that pass the pattern are concatenated to form a single event. But the last line which does not match is also concatented.
Is that the expected functionity?
I would expect that if it does not match it is dropped from the multiline event and sent in the next event.
I was also wondering if it is possible to have more than one multiline codec definition. One that does the next line processing and another the previous line?
All logging lines/events that pass the pattern are concatenated to form a single event. But the last line which does not match is also concatented.
I'm not sure exactly what you mean (examples help) but it since the last matching line joins with the next line what you describe sounds like the intended behavior. Perhaps you should use what => "previous" instead? Again, an example of what you're trying to do would make it easier to help.
I was also wondering if it is possible to have more than one multiline codec definition. One that does the next line processing and another the previous line?
As you can see the 333 does not match 111 or 222 but is still concatenated.
If this is an (important) event I would not expect it to be swallowed in the prevoius event!
Is my example clear?
In reply to your other question.
I would like to do this in the input of logstach. This would give a clearer and simpler expression to match.
I have tested using two multiline expressions but as soon as the filrst multiline fails the second is never executed.
As you can see the 333 does not match 111 or 222 but is still concatenated.
If this is an (important) event I would not expect it to be swallowed in the prevoius event!
Is my example clear?
It doesn't explain what your actual log entries look like and what rules should be used to join them. As I said you should probably use what => "previous" instead. In most cases multiline setups are based on what identifies the beginning of a logical event:
multiline {
pattern => "regexp matching the first line of a multiline group"
negate => true
what => "previous"
}
I would like to do this in the input of logstach. This would give a clearer and simpler expression to match.
I have tested using two multiline expressions but as soon as the filrst multiline fails the second is never executed.
What the actual log entries look like is not really the point.
I just gave a simplified example to show what I am expereincing using simplied rules.
In the mulitline output you see "message" => "111\n222\n333"
Sorry for repeating myself again but as you can see from the pattern ( pattern => "(^111)|(^222)" ) 333 should not be matched.
I also understand I have what => "next" in my expression.
The question is, should that event starting with 333 be part of the multiline event even though it does not match the pattern?
Or is this an error in the multiline codec or logstash?
Hi Benny,
let me try to explain the behavior of your config.
pattern => "(^111)|(^222)"
what => "next"
Your config says: Any line starting with 111 or 222 should be merged with next line that does not match the pattern.
With input 111\n222\n333.
111 comes -> 111 matches pattern -> logstash waits for next line
222 comes -> 222 matches pattern -> logstash waits for next line
333 comes -> 333 does not match -> all previous lines belongs to this line, logstash joins them and the event is completed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.