You might have the same problem that I have : Combining the lines will not produce what you expect. My post.
I posted the question today, but I'm still trying to figure it by myself or waiting for a miracle
By the way, you will easily find what you need to determine the pattern for the multiline codec on that page : Github-grok patterns
Thanks ! Your issue is a bit different. I posted my solution to what I think you trouble is. For my issue, I want to combine lines based on timestamp x, rather than just matching the pattern. I guess it would be like matching anything in a log file with process id x, and make it multiline.
This may not be possible, but I wanted to ask the experts out there.
If it's possible, it may help me too for my issue (the solution you proposed me just made the reverse effect : everything is linked to these particular logs => Because they are those who match the pattern. But thanks for the try ! )
I keep an eye on your post, just in case
I figured it out. I guess my original google search was too specific.
grok { match => [ "message", "\[%{WORD} %{NUMBER:TSID}\]" ] } multiline { stream_identity => "%{TSID}" pattern => "." # match anything because we're gathering by id field what => "previous" periodic_flush => true max_age => 10 # however many seconds it takes to get all of your lines together }
This results in the log above being combined into a multiline.
Found here: http://stackoverflow.com/questions/32304023/how-to-make-logstash-multiline-filter-merge-lines-based-on-some-dynamic-field-va
That's nice : but multiline filter is deprecated... And "stream_identity" doesn't exist in multiline codec
I search for the equivalent, and I warn you if I find anything
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
