Logstash multuline not working

Logstash multiline not working.

2018-08-09 04:15:13,307 Closed connection at 8/9/2018 4:15:13 AM -04:00 <<INFO .Data.AppDbContext [t23]>>
2018-08-09 04:15:13,307 Unexpected error in time zone update <<ERROR UpdateTimeZones [t23]>>
Oracle.ManagedDataAccess.Client.OracleException (0x80004005): ORA-00001: unique constraint (LINK_OD_IREPORT_2.TIME_ZONES_PK) violated
ORA-06512: at "LINK_OD_IREPORT_2.SET_MEETING_TIMEZONE", line 23
ORA-06512: at line 1
   at OracleInternal.ServiceObjects.OracleConnectionImpl.VerifyExecution(Int32& cursorId, Boolean bThrowArrayBindRelatedErrors, SqlStatementType sqlStatementType, Int32 arrayBindCount, OracleException& exceptionForArrayBindDML, Boolean& hasMoreRowsInDB, Boolean bFirstIterationDone)

2018-08-09 04:15:13,307 Closed connection at 8/9/2018 4:15:13 AM -04:00 <<INFO .Data.AppDbContext [t23]>>

tried all the combinations of logstash.

input { 

  file {
    path => "C:/Users/ss/Downloads/test6/*"
    start_position => "beginning"
    codec => multiline {
                   pattern => "^%{TIMESTAMP_ISO8601} "
                    negate => true
                    what => "previous"
                }
      }   
} 
output {
    stdout { codec => rubydebug }
}




with regex


codec => multiline {
                   pattern => '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
                    negate => true
                    what => "previous"
                }
      }



output:

{
       "message" => "2018-08-09 04:15:13,307 Closed connection at 8/9/2018 4:15:13 AM -04:00 <<INFO Data.AppDbContext [t23]>>\r",
          "path" => "C:/Users/ss/Downloads/test8/test1.LOG",
      "@version" => "1",
    "@timestamp" => 2018-08-15T22:59:06.089Z
}

Do you only get that single event when Logstash processes the example file with three events? Or what's the problem?

Yes sir I got only one single event.

Any help?

I don't think the problem is related to your multiline configuration. Have you tried clearing your sincedb file or setting sincedb_path => "nul" in your file input in order to force the file to be (re)read from the top?

1 Like

Try adding an auto_flush_interval to your multiline codec.

auto_flush_interval => 5
1 Like

both worked. thanks a lot!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.