Logstash Multiline Parse Error

Hello,

My log file has multiline patterns(it's a CSV file having around 15 fields)

example log:

IM25756756,ADDRESS SERVICE (HPI),01/05/2018 15:41:12,67,mlm,202227,Closed,c1t09878.itcs.hpicorp.net,W-INCFLS-HPIT-LINUX,W-INCFLS-HPIT-LINUX,W-INCFLS-HPIT-LINUX,01/11/2018 15:41:11,4,incident,01/05/2018 15:41:15,2018/01,javier.de-la-torre@hpe.com,Mission Critical,HPOO,Failed to contact node c1t09878.itcs.hpicorp.net with BBC. Probably the node is down or there's a network problem. (OpC40-1911),"Failed to contact node c1t09878.itcs.hpicorp.net with BBC. Probably the node is down or
there's a network problem. (OpC40-1911)",1,1

Log always start with IM, moreover, If i align the log in single line its working but I can't do that for thousands of logs

So I'm using multiline pattern

codec => multiline {
pattern => "^(?!IM)\w+$"
what => "previous"
}
Lines not starting with IM should merge with previous line. Still it's not working.

Error is: #<CSV::MalformedCSVError: Unclosed quoted field on line 1.>
Please Let me know where I am wrong.
Thanks for your valuable time

Check multiline option in filebeat and give your multiline.pattern: '^(?!IM)\w+$' (Is this the start of the line?) and do multiline.negate: true

Every line starts with IM. so In regex, I have given Lines not starting with IM(!IM). So, I think no need to use multiline.negate. I'm not using Filebeat as of now.

Anyway this worked finally

codec => multiline {
pattern => "(^IM*)"
negate => true
what => "previous"
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.