Logstash multiline codec not working with my pattern

Jigar_Sheth · September 27, 2015, 2:07pm

I had been using the multline codec of logstash for my java
exceptions. However, recently I wanted to capture more things and hence
used another pattern. This causes my logstash not to read file even
though I am using sincedb_path attribute.

My configurations file -

input {
        file {
           type => "pa"
           path => "/home/jigar/POC/Docs/smalllogs/test"
           codec => multiline {
                pattern => "^%{DATESTAMP}"
                negate => true
                what => "previous"
           }
           start_position => "beginning"
           sincedb_path => "/dev/null"
        }
}

filter {
         grok {
           match => [ "message", "%{DATESTAMP:actualTimeStamp}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{GREEDYDATA:identifier}%{SYSLOG5424SD:Id}%{SPACE}%{JAVACLASS:package}:%{INT:lineNum}%{SPACE}-%{SPACE}%{DATA:mydata}\n(\t)?%{GREEDYDATA:stack}" ]
         }
}

output {
  elasticsearch {
        cluster => "smartdebugger"
        protocol => "http"
        host => "localhost"
  }
  stdout { codec =>rubydebug }
}

Can somebody please help me why logstash is not able to read the file.

magnusbaeck · September 27, 2015, 6:39pm

I can imagine a couple of explanations:

Logstash can't read /home/jigar/POC/Docs/smalllogs/test.
The multiline pattern never matches, so Logstash waits forever for a matching line so that it can emit a message.

Topic		Replies	Views
Problem with codec multiline Logstash	1	557	July 6, 2017
Logstash multiline codec plugin Logstash	4	260	July 16, 2018
Add multiline codec issue on logstash Logstash	6	321	June 27, 2023
Issue with file input multiline codec Logstash	2	1246	December 15, 2016
Multiline codec reading entire log file as one line Logstash	1	1188	June 20, 2017

Logstash multiline codec not working with my pattern

Related topics