Multi line filter in logstash conf

Aylwinns_Tan · June 2, 2017, 8:38am

Hi all, i'm trying to build a logstash.conf file for the following type of log files.

Below is excerpt of an two events:

----Event 1----
Exception at 21 May 2017
(tab)Module: 6764
(tab)Level: Abort
(tab)Code: 83hdjwuyeb68g
XmlDescription: None
----End----
----Event 2----
Exception at 20 May 2017
(tab)Module: 682
(tab)Level: Abort
(tab)Code: 683hhshvaaj67
Responsible configuration:
(tab)Global template: 107
(tab)Xml Description: None
----End-----

Both events appear in the same log, currently im using multiline with pattern ^\t and what previous.

But the issue is for the second event, the line one Responsible configuration does not have a tab.

Wondering if it's possible to use start with Exception as the start of a new event??
If yes, how? I have tried ^E but doesn't seem to work.
If no, anyone have any ideas on how i can do it?

Thanks

guyboertje · June 2, 2017, 9:03am

You could try using pattern: ----End---- negate: true and what: previous. Then mutate gsub the ----Event \d+---- away.

Aylwinns_Tan · June 2, 2017, 5:03pm

thanks

I got it to work

^^

system · June 30, 2017, 5:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Logstash : parse multiple lines, each in one field in a single event Logstash	3	837	August 2, 2018
Multiple patterns for Multiline Configuration? Logstash	3	1487	July 6, 2017
Multiline grok filter not working with specific log Logstash	3	250	April 4, 2022
Logstash multiline filter pattern match -- needing help please Solved Logstash	1	745	July 6, 2017

Multi line filter in logstash conf

Related topics