Logstash multiline pattern

Muhammad_Faisal · January 1, 2021, 2:20pm

hi guys,

i have a log file which consists of below pattern , i need to treat all lines of this log file as 1 aggregate event.file will close after 30 minutes and then new log will start..which pattern will work here... i am trying to use if line ends with new line feed , then merge next line with previous line ...but how to tell logstash that file has ended

codec => multiline {
pattern => ".*\r"
negate => false
what => "next"

log format

DEBUG:root:some data
DEBUG:root:some data
DEBUG:root:exception
DEBUG:root:error occured
method finished

INFO:root:some data
INFO:root:
INFO:root:
INFO:root:
method complete

Badger · January 1, 2021, 4:06pm

Use a pattern that will never match, and use a timeout

codec => {
    pattern => "^Spalanzani"
    negate => true
    what => next
    auto_flush_interval => 3700
}

Muhammad_Faisal · January 2, 2021, 1:58pm

its not getting last line into multiline... message aggregates all line except last ...

Badger · January 4, 2021, 6:19pm

Is there a newline at the end of the last line?

system · February 1, 2021, 6:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash multiline codec ignores last line of log file Logstash	1	226	September 10, 2021
Logstash multiline codec do not read all lines Logstash	3	223	September 30, 2022
Logstash Mutliline Inquiry Logstash	17	3765	July 6, 2017
Multiline pattern for date is not working Logstash	1	235	April 2, 2020
Multiline vs aggregate Beats filebeat	13	2397	March 14, 2019

Logstash multiline pattern

Related topics