Logstash parse multiline logging

Elastic Stack Logstash
1

Hi all,

I am trying to parse the following log file with multi-log lines:

Benutzerkennung: test1
Uhrzeit: 20:53:54 14.05.2022
Version: Microsoft Dynamics AX 6.2 (Erstellungsnummer 3000.5768)
Datenbank: Microsoft SQL Server
Arbeitsgang: 'BLABLA' (ID #109457): FIELD(NEW)
Dauer in Teilstrichen: 109.




Benutzerkennung: test1
Uhrzeit: 23:19:00 02.06.2022
Version: Microsoft Dynamics AX 6.2 (Erstellungsnummer 3000.5768)
Datenbank: Microsoft SQL Server
Arbeitsgang: 'BLABLA' (ID #115286): TABLE(NEW)+INDEX(CREATE)

With the following config:

input {
    tcp {
        port => 1337
        codec => multiline {
            pattern => "Arbeitsgang(.*)(\n)"
            what => "next"
            negate => true
        }
    }

}

output {
    stdout { codec => rubydebug }
}

However, I am not getting the desired output. Note that the line "Dauer in Teilstrichen: X." can be omitted. The desired output is as following:

  • Log line 1:

Benutzerkennung: test1 Uhrzeit: 20:53:54 14.05.2022 Version: Microsoft Dynamics AX 6.2 (Erstellungsnummer 3000.5768) Datenbank: Microsoft SQL Server Arbeitsgang: 'BLABLA' (ID #109457): FIELD(NEW)

  • Log line 2:

Benutzerkennung: test1 Uhrzeit: 23:19:00 02.06.2022 Version: Microsoft Dynamics AX 6.2 (Erstellungsnummer 3000.5768) Datenbank: Microsoft SQL Server Arbeitsgang: 'BLABLA' (ID #115286): TABLE(NEW)+INDEX(CREATE)

I am not getting the wanted result, can someone help me out?

2

Edit,

I got it working with the config below. However, the flush doesnt seem to work. The last item is only processed when I manually kill the TCP connection:

input {
    tcp {
        port => 1337
        codec => multiline {
            pattern => "Benutzerkennung"
            negate => true
            what => "previous"
            auto_flush_interval => 5
        }
    }

}


output {
    stdout { codec => rubydebug }
}
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.