Multiline doesn't read last line

bertvervaele · March 30, 2017, 8:18am

I know this is a known problem but I can't find I there is already a solution to it.
So I want to read the oracle log file. This looks like this:

Sat Apr 09 10:13:17 2016
Archived Log entry 24018 added for thread 1 sequence 24444 ID 0xa5d45fc6 dest 1:
Sat Apr 09 10:18:05 2016
Completed checkpoint up to RBA [0x5f7d.2.10], SCN: 5443782313
Sat Apr 09 10:23:35 2016
Beginning log switch checkpoint up to RBA [0x5f7e.2.10], SCN: 5443860599
Thread 1 advanced to log sequence 24446 (LGWR switch)
  Current log# 2 seq# 24446 mem# 0: /oracle/PER/origlogB/log_g12m1.dbf
  Current log# 2 seq# 24446 mem# 1: /oracle/PER/mirrlogB/log_g12m2.dbf

my code:

input {
    file {
        path => "/oracle/FDG/saptrace/diag/rdbms/fdg/FDG/trace/alert_FDG.log"
        codec => multiline {
            pattern => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
            negate => true
            what => "previous"
        }
    }
}

So the amount of lines is not always the same.
Is there another way to read the last line(s)?

warkolm · March 30, 2017, 8:36am

https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html#plugins-codecs-multiline-auto_flush_interval might be what you want.

bertvervaele · March 30, 2017, 8:43am

Thank you for the quick answer.
auto_flush_interval was indeed what I needed

system · April 27, 2017, 8:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.