Multiline and grok filter to merge multi line and then filter

mharoonahmed · June 29, 2017, 5:02am

Hi experts

I am very new to ELK stack and still learning. I have some logs streamed from a switch reporting congestion. Below is the log format. Record shows start, update and stop type records, with timestamp, interface name , queueSize and txlatency as important parameters to be filtered.

CongestionRecord:
timestamp: Thu Jun 29 10:35:12.9282 2017
intfName: Ethernet2
switchId: 0
portId: 20
queueSize: 519
entryType: Start
trafficClass: 1
txLatency: 1137.528
CongestionRecord:
timestamp: Thu Jun 29 10:35:12.9292 2017
intfName: Ethernet2
switchId: 0
portId: 20
queueSize: 526
entryType: Update
trafficClass: 1
txLatency: 1155.096
CongestionRecord:
timestamp: Thu Jun 29 10:35:12.11725 2017
intfName: Ethernet2
switchId: 0
portId: 20
queueSize: 1976
entryType: End
trafficClass: 1
timeOfMaxQLen: 10548
txLatency: 4339.296

I used multiline filter put one record as a message.

filter {
multiline {
pattern => "^CongestionRecord:"
what => "previous"
negate => true
}

An extract from output is given below.

"_index": "congestion",
"_type": "log",
"_id": "AVzyKL4KfBsK2dyTIqlw",
"_score": null,
"_source": {
"message": "CongestionRecord:\n timestamp: Thu Jun 29 14:25:43.14614 2017\n intfName: Ethernet3\n switchId: 0\n portId: 41\n queueSize: 645\n entryType: Update\n trafficClass: 1\n txLatency: 1324.064",
"@version": "1",
"@timestamp": "2017-06-29T04:25:43.156Z",
"source": "/var/log/arista-streaming.log",

How can I extract all fields from above message as seperate fields ?

Appreciate quick response.

magnusbaeck · June 29, 2017, 5:14am

Have you tried using a kv filter? The newline character might stir things up but apart from that it should be pretty straight forward.

mharoonahmed · July 2, 2017, 3:04am

Thanks Magnus.

I was able to seperate fields using kv filter as you suggested.

"message": "CongestionRecord:\n   timestamp: Fri Jun 30 16:02:24.14190 2017\n   intfName: Ethernet3\n   switchId: 0\n   portId: 41\n   queueSize: 268\n   entryType: Update\n   trafficClass: 1\n   txLatency: 855.456",
"@version": "1",
"@timestamp": "2017-07-02T01:49:51.286Z",
"path": "/var/log/arista-newtest.log",
"host": "ansible-rh73",
"tags": [
  "multiline"
],
"   timestamp": "Fri Jun 30 16:02:24.14190 2017",
"   intfName": "Ethernet3",
"   switchId": "0",
"   portId": "41",
"   queueSize": "268",
"   entryType": "Update",
"   trafficClass": "1",
"   txLatency": "855.456"

Filter I used as:

filter {
multiline {
pattern => "^CongestionRecord:"
what => "previous"
negate => true
}

kv {
field_split => "\n"
value_split => ":"
source => "message"
}

mutate {
convert => { "queueSize" => "integer" }
convert => { "txLatency" => "integer" }
convert => { "trafficClass" => "integer" }
convert => { "switchId" => "integer" }
convert => { "portId" => "integer" }

But then I see another issue that even though I am converting fiels into integer, they are still showed as String in Kibana. I have to plot graphs for queuesize and txlatency of port against time and so I need to convert those into integers. Any ideas how to do that ?

magnusbaeck · July 3, 2017, 5:28am

The mappings of existing fields can't be changed without reindexing. If you use daily indexes the problem should be fixed as the next day's index is created.

mharoonahmed · July 4, 2017, 1:02am

Hi

I changed the index to dated. I also tried to create a new index but problem persisted.

It seems that string output is coming from logstash. Values are coming out as strings instead of integers.

{
"@timestamp" => "2017-07-04T00:58:23.747Z",
"path" => "/var/log/arista-new.log",
"host" => "ansible-rh73",
"tags" => [],
" timestamp" => "Tue Jul 4 10:03:53.85655 2017",
" intfName" => "Ethernet2",
" switchId" => "0",
" portId" => "20",
" queueSize" => "675",
" entryType" => "Update",
" trafficClass" => "1",
" txLatency" => "2678.4"
}

Here is the filter again.

input {
file {
path => "/var/log/arista-new.log"
start_position => "beginning"
}
}

filter {
multiline {
pattern => "^CongestionRecord:"
what => "previous"
negate => true
}

kv {
field_split => "\n"
value_split => ":"
source => "message"
}

mutate {
convert => { "queueSize" => "integer" }
convert => { "txLatency" => "float" }
convert => { "trafficClass" => "integer" }
convert => { "switchId" => "integer" }
convert => { "portId" => "integer" }
}
mutate {
remove_field => [ "message" ]
}

mutate {
remove_tag => [ "multiline" ]
}

mutate {
remove_field => [ "@version" ]
}
}

output {
stdout { codec => rubydebug }
}

mharoonahmed · July 4, 2017, 1:25am

I changed the filter to rubydebug to test the output from logstash. My actual configuration is

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "arista-%{+YYYY.MM.dd}"
}

magnusbaeck · July 4, 2017, 5:40am

{
"@timestamp" => "2017-07-04T00:58:23.747Z",
"path" => "/var/log/arista-new.log",
"host" => "ansible-rh73",
"tags" => ,
" timestamp" => "Tue Jul 4 10:03:53.85655 2017",
" intfName" => "Ethernet2",
" switchId" => "0",
" portId" => "20",
" queueSize" => "675",
" entryType" => "Update",
" trafficClass" => "1",
" txLatency" => "2678.4"
}

You have a leading space in your field names. Look into the kv filter's trim_key option.

system · August 1, 2017, 5:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline filter - Missing logs Elasticsearch	4	1620	July 5, 2017
How to grok those multiline log syntax? Logstash	3	255	October 8, 2022
Logstash using multiline for big log file Logstash	4	982	January 14, 2022
Multiline grok filter not working with specific log Logstash	3	250	April 4, 2022
Need to parse multi-lines log message Logstash	4	122	May 27, 2024

Multiline and grok filter to merge multi line and then filter

Related Topics