Logstash multiline codec plugin

bobbytan · June 18, 2018, 4:21am

hello,

Im trying to use the multiline codec plugin to merge input log that contains several lines into one line within a textfile.

config file:
input {

file {
path => "C:\Users\bob\Downloads\data\error_test.txt"
start_position =>"beginning"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"

}
}
}

filter {
grok{
match => ["message", "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:loglevel} %{GREEDYDATA:messsage}"]
}
date {
match => ["logdate", "yyyy-MM-dd HH:mm:ss,SSS", "ISO8601"]
}

}

output{
stdout { codec => rubydebug }
elasticsearch { hosts => ["localhost:9200"]
index=> "error_test"
}
stdout { codec => rubydebug }
}

After running config file in shell it shows that pipelines are running and no errors are shown.However stdout are not printed within the shell running Logstash and no results are found for the particular index on kibana.Please advice thanks.

magnusbaeck · June 18, 2018, 6:32am

Perhaps Logstash thinks it has already processed the file and is waiting for more input. Setting sincedb_path => "nul" in the file input will clear that.

bobbytan · June 18, 2018, 6:46am

thanks for the feedback.I have tried setting in file input sincedb_path => "nul" and also sincedb_path => "/dev/null" however the same issue still persists

magnusbaeck · June 18, 2018, 7:10am

Things to try:

Remove the multiline codec.
Use forward slashes instead of backslashes in the path to the logfile.
Increase Logstash's loglevel and search for "error_test.txt" in the Logstash log.

system · July 16, 2018, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.