Matching multiline log message with Grok

yungnvn · January 23, 2019, 7:37pm

I have these three lines of log messages:

2019-01-10 15:41:22,164 INFO  [ajp-nio-8010-exec-21] wt.system.out manlla - specIdOR:com.lcs.wc.specification.FlexSpecToSeasonLink:1071796633
2019-01-10 15:41:24,160 DEBUG [ajp-nio-8010-exec-34] rfa.jsp.main.Main manlla - 
#################################################################

[REQUEST MADE]
 user = manlla
 ipAddress = 0.0.0.0
 host = 0.0.0.0
 activity = VIEW_SEASON_PRODUCT_LINK
 action = 
 oid = OR:com.lcs.wc.specification.FlexSpecToSeasonLink:10717
 oidList = null
 returnActivity = VIEW_SEASON_PRODUCT_LINK
 returnAction = INIT
 returnOid = OR:com.lcs.wc.specification.FlexSpecToSeasonLink:10717
 typeOid = 
 typeAttributeOid = 
 tabId = 
 tabPage = SOURCING
 errorMessage = null
 sessionId = D90C1D4507BEB3F2B112B0D843.tomcat1
#################################################################
 url = ?activity=VIEW_SEASON_PRODUCT_LINK&action=&oid=OR:com.lcs.wc.specification.FlexSpecToSeasonLink:1071796633&oidList=null&typeOid=&typeAttributeOid=&tabId=&tabPage=SOURCING
#################################################################
2019-01-10 15:41:24,199 DEBUG [ajp-nio-8010-exec-34] rfa.jsp.main.MainTemplate manlla - templateType =

I'm able to parse the first line correctly with this GROK pattern:

%{DATESTAMP:timestamp} %{WORD:severity} %{DATA:var1} %{JAVACLASS:out} %{USERNAME:user} %{GREEDYDATA:msg}

However, I'm having trouble getting to the second log line. Once that line's parsed I'd need to ignore all the # and set the msg field starting from [REQUEST MADE] and end it at the next instance of a log message.

Any help on this would be appreciated! I'm using the GROK debugger to parse this so let me know if more info is required.

Badger · January 23, 2019, 8:55pm

Is the second line really a single line? Can you edit your post to use either </> in the toolbar above the editing pane or precede and follow the log with lines containing 3 backticks ```

yungnvn · January 23, 2019, 9:16pm

Unfortunately that second line is one big log message. I'm thinking I'll remove the # and then keep everything else in the message field.

Badger · January 23, 2019, 10:42pm

It's one message, but it is not one line. So you will need to combine the lines into a single event. Possibly with a multiline codec on a file input, or if you are using filebeat then you can do it in the beat.

For a file input, this might work.

codec => multiline {
    pattern => "^%{TIMESTAMP_ISO8601} "
    negate => true
    what => "previous"
}

system · February 20, 2019, 10:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.