Multiline issue with 2 different patterns for a single event

jinal.shah · August 12, 2016, 11:42am

At the moment, I'm just running it manually via STDIN and observing the output on STDOUT while I test that the configuration works OK.

This is the full test configuration I am using to test that the parsing:

input { stdin { } }

    filter {

            grok {
                            match => { "message" => "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{SYSLOG5424PRINTASCII:thread}%{SPACE}%{JAVACLASS:logger}%{SPACE}\[%{JAVAMETHOD:method}:%{NUMBER:line}]%{SPACE}-%{SPACE}%{GREEDYDATA:message}" }
                            overwrite => ["message"]
                    }
                    date {
                            match => [ "timestamp", "MMM dd YYY HH:mm:ss", "MMM  d YYY HH:mm:ss", "ISO8601" ]
                            remove_field => [ "timestamp" ]
                    }
            multiline {
                    pattern => "^%{TIMESTAMP_ISO8601}"
                    negate => true
                    what => "previous"
            }
    }

    output {
      stdout { codec => rubydebug }
    }

And then manually running it with: /bin/logstash -f ../testconfigs/multiline.conf

Topic		Replies	Views
Multiline codec Logstash	15	2613	July 6, 2017
Config file for multiple multiline patterns Logstash	9	5430	October 5, 2017
Websphere multiline logs Logstash	9	1187	June 20, 2018
Problem with codec multiline Logstash	1	570	July 6, 2017
Logstash 5.1 - Multiline codec with file input Logstash	3	1982	February 9, 2017

Multiline issue with 2 different patterns for a single event

Related topics