Multiline issue with 2 different patterns for a single event

jinal.shah · August 12, 2016, 11:42am

At the moment, I'm just running it manually via STDIN and observing the output on STDOUT while I test that the configuration works OK.

This is the full test configuration I am using to test that the parsing:

input { stdin { } }

    filter {

            grok {
                            match => { "message" => "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{SYSLOG5424PRINTASCII:thread}%{SPACE}%{JAVACLASS:logger}%{SPACE}\[%{JAVAMETHOD:method}:%{NUMBER:line}]%{SPACE}-%{SPACE}%{GREEDYDATA:message}" }
                            overwrite => ["message"]
                    }
                    date {
                            match => [ "timestamp", "MMM dd YYY HH:mm:ss", "MMM  d YYY HH:mm:ss", "ISO8601" ]
                            remove_field => [ "timestamp" ]
                    }
            multiline {
                    pattern => "^%{TIMESTAMP_ISO8601}"
                    negate => true
                    what => "previous"
            }
    }

    output {
      stdout { codec => rubydebug }
    }

And then manually running it with: /bin/logstash -f ../testconfigs/multiline.conf

Topic		Replies	Views
Yet another multiline plea for help please Logstash	6	821	December 8, 2016
Parsing multiline java execption Logstash	4	326	December 14, 2023
XML Multiline pattern problems with Logstash Logstash	1	495	November 7, 2017
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Need help with Parsing Multiline StackTrace Logstash	5	2796	July 31, 2019

Multiline issue with 2 different patterns for a single event

Related topics