Logstash multiline pattern

Muhammad_Faisal · January 1, 2021, 2:20pm

hi guys,

i have a log file which consists of below pattern , i need to treat all lines of this log file as 1 aggregate event.file will close after 30 minutes and then new log will start..which pattern will work here... i am trying to use if line ends with new line feed , then merge next line with previous line ...but how to tell logstash that file has ended

codec => multiline {
pattern => ".*\r"
negate => false
what => "next"

log format

DEBUG:root:some data
DEBUG:root:some data
DEBUG:root:exception
DEBUG:root:error occured
method finished

INFO:root:some data
INFO:root:
INFO:root:
INFO:root:
method complete

Badger · January 1, 2021, 4:06pm

Use a pattern that will never match, and use a timeout

codec => {
    pattern => "^Spalanzani"
    negate => true
    what => next
    auto_flush_interval => 3700
}

Muhammad_Faisal · January 2, 2021, 1:58pm

its not getting last line into multiline... message aggregates all line except last ...

Badger · January 4, 2021, 6:19pm

Is there a newline at the end of the last line?

system · February 1, 2021, 6:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.