Logstash reading new lines issues

Kennedy_Kan1 · June 8, 2016, 7:07am

I have written a conf file in logstash to read the jms log and the problems are I could not break the records into newlines fore filtering. Here is the raw data

####<Sep 20, 2015 12:00:12 AM> <> <1442678412960> <809000> <ID:<307061.1442678412716.0>> <> <CmsCorpAlsPrd_als_mod!CmsCorpAlsPrd_jmsAls_cdceap7e_32040@abb_audit_als_dQue> <Consumed> <<anonymous>> <MC:CA(local):OAMI(CmsCorpAlsPrd_cdceap7e_32040.jms.connection36.session121.consumer125)> <&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;mes:WLJMSMessage xmlns:mes="http://www.bea.com/WLS/JMS/Message"&gt;&lt;mes:Header&gt;&lt;mes:JMSDeliveryMode&gt;PERSISTENT&lt;/mes:JMSDeliveryMode&gt;&lt;mes:JMSExpiration&gt;0&lt;> <> ####<Sep 20, 2015 12:00:13 AM> <> <1442678413018> <392000> <ID:<307061.1442678412943.0>> <> <CmsCorpAlsPrd_als_mod!CmsCorpAlsPrd_jmsAls_cdceap7e_32040@abb_audit_als_dQue> <Produced> <<anonymous>> <> <&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;mes:WLJMSMessage xmlns:mes="http://www.bea.com/WLS/JMS/Message"&gt;&lt;mes:Header&gt;&lt;mes:JMSDeliveryMode&gt;PERSISTENT&lt;/mes:JMSDeliveryMode&gt;&lt;mes:JMSExpiration&gt;0&lt;> <>

And here is my conf file in logstash

input{
	stdin{}
	file{
		type => "txt"
		path => "C:\HA\jms\jms.log"
		start_position => "beginning"
	}
}
filter{
	multiline{
		pattern => "\&"
		what => previous
	}	
	grok{
	match => {"message" => ['####<%{GREEDYDATA:Date}>%{SPACE}<>%{SPACE}<%{GREEDYDATA:Millisec_Date}>%{SPACE}<%{GREEDYDATA:Nanosec_Date}>%{SPACE}<ID:<%{GREEDYDATA:JMS_message_ID}>>%{SPACE}<>%{SPACE}<%{GREEDYDATA:JMS_destination_name}>%{SPACE}<%{GREEDYDATA:JMS_message_eventname}>%{SPACE}<<%{GREEDYDATA:JMS_username}>>%{SPACE}<%{GREEDYDATA:JMS_correlationID}>%{SPACE}<%{GREEDYDATA:Mcls}:JMSDeliveryMode&gt;%{WORD:JMSDeliveryMode}&lt;/mes:JMSDeliveryMode&gt;&lt;mes:JMSExpiration&gt;%{NUMBER:JMSExpiration}&lt;>%{SPACE}<>']}
    	}
}
output{
  	elasticsearch { hosts => ["localhost:9200"] 
	}
  	stdout { codec => rubydebug }	
}

All the things went well except when I run the conf and the result gives me this

                 "@version" => "1",
               "@timestamp" => "2016-06-08T06:23:50.543Z",
                     "path" => "C:\\HA\\jms\\jms.log",
                     "host" => "WIN-07LLQEN2SJB",
                     "type" => "txt",
                     "tags" => [
        [0] "multiline"
    ],
                     "Date" => "Sep 20, 2015 12:00:12 AM> <> <1442678412960> <809000> <ID:<307061.1
442678412716.0>> <> <CmsCorpAlsPrd_als_mod!CmsCorpAlsPrd_jmsAls_cdceap7e_32040@abb_audit_als_dQue> <Consumed> <<anonymou
s>> <MC:CA(local):OAMI(CmsCorpAlsPrd_cdceap7e_32040.jms.connection36.session121.consumer125)> <&lt;?xml version=\"1.0\"
encoding=\"UTF-8\"?&gt;\n&lt;mes:WLJMSMessage xmlns:mes=\"http://www.bea.com/WLS/JMS/Message\"&gt;&lt;mes:Header&gt;&lt;
mes:JMSDeliveryMode&gt;PERSISTENT&lt;/mes:JMSDeliveryMode&gt;&lt;mes:JMSExpiration&gt;0&lt;> <> \n####<
Sep 20, 2015 12:00:13 AM",
            "Millisec_Date" => "1442678413018",
             "Nanosec_Date" => "392000",
           "JMS_message_ID" => "307061.1442678412943.0",
     "JMS_destination_name" => "CmsCorpAlsPrd_als_mod!CmsCorpAlsPrd_jmsAls_cdceap7e_32040@abb_audit_als_dQue",
    "JMS_message_eventname" => "Produced",
             "JMS_username" => "anonymous",
                     "Mcls" => "&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;mes:WLJMSMessage xmlns:mes=\"http:
//www.bea.com/WLS/JMS/Message\"&gt;&lt;mes:Header&gt;&lt;mes",
          "JMSDeliveryMode" => "PERSISTENT",
            "JMSExpiration" => "0"
}

Obviously, the date has part has read all the data in first message and seem classified i as the data of the 2nd message. Is there anyway to solve this in breaking different records in new line?

magnusbaeck · June 8, 2016, 7:11am

Two things that I think will help:

Don't use GREEDYDATA to match the date. As its name implies it's greedy. Use a more specific grok expression.
A better multiline condition would probably be "unless the line begins with ###< join with the previous line". If you insist on sticking with your current pattern you should at least prepend it with ^ so that it only matches ampersands at the beginning of the line.

Kennedy_Kan1 · June 8, 2016, 7:46am

Yes Thanks. Adding ^ helps a lot.
However, when I run the conf file, it also gives me the map parsing error status:400, I would know what will be the issue for that?

magnusbaeck · June 8, 2016, 6:01pm

Please show the full error message.

Kennedy_Kan1 · June 9, 2016, 5:34am

I turn out find out the sollution here: github.com/elastic/elasticsearch/issues/16283
Another problem is the created field for indexing is too long. Shortening the name can solve the issue.

But I have no idea why template_overwrite => true can solve the issues