Logstash multiline codec not working

Elastic Stack Logstash
1

Hello, I have multilines logs:

Trace file /gh/app
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning option
ORACLE_HOME
System name: SunOS
Node name: kz-cdb
Release: 5.11
Version: 11.3
Machine: sun4v

*** 2021-03-13 18:54:21.185

PARSING IN CURSOR #14582292295292929592 len=52 dep=0 uid=46 oct=3 lid=46 tim=72943265001993 hv=3279822953 ad='a626a86d0' sqlid='ajt7jp31rw839'
select * from table ( fkl.dfef.flks(:1 ) )
END OF STMT
BINDS #14582292295292929592:
Bind#0
oacdty=01 mxl=32(10) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1000010 frm=01 csi=35 siz=32 off=0
kxsbbbfp=ffffffff7a273058 bln=32 avl=10 flg=05
value="558952cs92c"
EXEC #14582292295292929592:c=186,e=187,p=0,cr=0,cu=0,mis=0,r=0,dep=0,og=1,plh=3167027216,tim=72943265002162
WAIT #14582292295292929592: nam='SQL*Net message to client' ela= 2 driver id=1952673792 #bytes=1 p3=0 obj#=42868 tim=72943265002205
BINDS #18446744071463991888:
Bind#0
oacdty=96 mxl=32(11) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1206001 frm=01 csi=35 siz=64 off=0
kxsbbbfp=ffffffff7a274ae8 bln=32 avl=11 flg=05
value="558952cs92c "
Bind#1
oacdty=96 mxl=32(11) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1206001 frm=01 csi=35 siz=0 off=32
kxsbbbfp=ffffffff7a274b08 bln=32 avl=11 flg=01
value="558952cs92c "
EXEC #18446744071463991888:c=178,e=177,p=0,cr=0,cu=0,mis=0,r=0,dep=1,og=1,plh=1451635619,tim=72943265002515
WAIT #18446744071463991888: nam='db file sequential read' ela= 12559 file#=10 block#=2395358 blocks=1 obj#=323687 tim=72943265015228
WAIT #18446744071463991888: nam='db file sequential read' ela= 5329 file#=5 block#=335058 blocks=1 obj#=210669 tim=72943265020612
WAIT #18446744071463991888: nam='db file sequential read' ela= 2364 file#=6 block#=730510 blocks=1 obj#=42860 tim=72943265023055
FETCH #18446744071463991888:c=500,e=20592,p=3,cr=23,cu=0,mis=0,r=1,dep=1,og=1,plh=1451635619,tim=72943265023141
FETCH #18446744071463991888:c=88,e=88,p=0,cr=12,cu=0,mis=0,r=0,dep=1,og=1,plh=1451635619,tim=72943265023310
FETCH #14582292295292929592:c=1043,e=21136,p=3,cr=35,cu=0,mis=0,r=1,dep=0,og=1,plh=3167027216,tim=72943265023389
STAT #14582292295292929592 id=1 cnt=1 pid=0 pos=1 obj=0 op='COLLECTION ITERATOR PICKLER FETCH GET_SUBSCRIBER_DATA (cr=35 pr=3 pw=0 time=21121 us cost=35 size=16336 card=8168)'
CLOSE #14582292295292929592:c=33,e=33,dep=0,type=1,tim=72943265064181

*** 2021-03-13 18:55:41.245

PARSING IN CURSOR #18446744071463935216 len=52 dep=0 uid=46 oct=3 lid=46 tim=72943345058420 hv=3279822953 ad='a626a86d0' sqlid='ajt7jp31rw839'
select * from table ( fkl.dfef.flks(:1 ) )
END OF STMT
BINDS #18446744071463935216:
Bind#0
oacdty=01 mxl=32(10) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1000010 frm=01 csi=35 siz=32 off=0
kxsbbbfp=ffffffff7a273058 bln=32 avl=10 flg=05
value="80528294229"
EXEC #18446744071463935216:c=205,e=204,p=0,cr=0,cu=0,mis=0,r=0,dep=0,og=1,plh=3167027216,tim=72943345058605
WAIT #18446744071463935216: nam='SQL*Net message to client' ela= 1 driver id=1952673792 #bytes=1 p3=0 obj#=42860 tim=72943345058641
BINDS #18446744071463991888:
Bind#0
oacdty=96 mxl=32(11) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1206001 frm=01 csi=35 siz=64 off=0
kxsbbbfp=ffffffff7a274ae8 bln=32 avl=11 flg=05
value="80528294229 "
Bind#1
oacdty=96 mxl=32(11) mxlc=00 mal=00 scl=00 pre=00
oacflg=03 fl2=1206001 frm=01 csi=35 siz=0 off=32
kxsbbbfp=ffffffff7a274b08 bln=32 avl=11 flg=01
value="80528294229 "
EXEC #18446744071463991888:c=191,e=190,p=0,cr=0,cu=0,mis=0,r=0,dep=1,og=1,plh=1451635619,tim=72943345059050
FETCH #18446744071463991888:c=236,e=237,p=0,cr=23,cu=0,mis=0,r=1,dep=1,og=1,plh=1451635619,tim=72943345059322
FETCH #18446744071463991888:c=93,e=94,p=0,cr=10,cu=0,mis=0,r=0,dep=1,og=1,plh=1451635619,tim=72943345059482
FETCH #18446744071463935216:c=909,e=910,p=0,cr=33,cu=0,mis=0,r=1,dep=0,og=1,plh=3167027216,tim=72943345059595
STAT #18446744071463935216 id=1 cnt=1 pid=0 pos=1 obj=0 op='COLLECTION ITERATOR PICKLER FETCH GET_SUBSCRIBER_DATA (cr=33 pr=0 pw=0 time=901 us cost=35 size=16336 card=8168)'
CLOSE #18446744071463935216:c=35,e=35,dep=0,type=1,tim=72943345116497

I want to make it from timestams to timestamp like one message and then parsing in filter, my code bellow. but there is no data in elastic even without filtering. Could you give any advise?

My guess-work is that input can't understand what to do with this beginnig part of log:
Trace file /gh/app
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning option
ORACLE_HOME
System name: SunOS
Node name: kz-cdb
Release: 5.11
Version: 11.3
Machine: sun4v
How to say input to skip this part, because when i remove this part everything works fine?

input {

    file {
        path => "/home/ubuntu/ora_24994.trc"
        start_position => "beginning"
        codec => multiline {
          pattern => "^\*** %{TIMESTAMP_ISO8601}"
        negate => "true"
        what => "previous"
      }
    }
    }

    filter {
    }




    output {

        elasticsearch {
          hosts => ["localhost:9200"]
             index => "cdb_logs2"
        }
    }
2

I solved with drop in filter part

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.