Logstash multiline codec not working with my pattern

Jigar_Sheth · September 27, 2015, 2:07pm

I had been using the multline codec of logstash for my java
exceptions. However, recently I wanted to capture more things and hence
used another pattern. This causes my logstash not to read file even
though I am using sincedb_path attribute.

My configurations file -

input {
        file {
           type => "pa"
           path => "/home/jigar/POC/Docs/smalllogs/test"
           codec => multiline {
                pattern => "^%{DATESTAMP}"
                negate => true
                what => "previous"
           }
           start_position => "beginning"
           sincedb_path => "/dev/null"
        }
}

filter {
         grok {
           match => [ "message", "%{DATESTAMP:actualTimeStamp}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{GREEDYDATA:identifier}%{SYSLOG5424SD:Id}%{SPACE}%{JAVACLASS:package}:%{INT:lineNum}%{SPACE}-%{SPACE}%{DATA:mydata}\n(\t)?%{GREEDYDATA:stack}" ]
         }
}

output {
  elasticsearch {
        cluster => "smartdebugger"
        protocol => "http"
        host => "localhost"
  }
  stdout { codec =>rubydebug }
}

Can somebody please help me why logstash is not able to read the file.

magnusbaeck · September 27, 2015, 6:39pm

I can imagine a couple of explanations:

Logstash can't read /home/jigar/POC/Docs/smalllogs/test.
The multiline pattern never matches, so Logstash waits forever for a matching line so that it can emit a message.