Dears,
I know there are a lot of tutorials and examples with almost an answer but I don't seem to get it right...
I want to parse exception logs
and they are in the following format:
ERROR (some data that I like to parse)
(some other data)
(the stacktrace)
at ...
Caused by: ...
at ...
ERROR (some data that I like to parse)
(next event)
I seem to manage to get all the data in an event except for the ERROR line with:
input {
file {
path => "/exception_log4j.log.1"
codec => multiline {
pattern => "ERROR"
negate => "true"
what => "next"
}
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter {
grok {
match => {"message" => "%{GREEDYDATA:data}"}
}
}
output{
stdout { codec => rubydebug }
}
If I set negate to "false" any line is matched...
How do I get this data in one event and also the data of the ERROR line?
Or which other approach should I take?
Thanks for reading an it would be grand if you can help me a hand...
Best regards,
S.