Multiline log problem

Hi,

I've logs like this:

{20151003010443,D,
{1,1},61,62,5,761520333,6,L,"SOME TEXT 1",1,
{"P",
{6,
{"S","SOME TEXT 2"},
{"S","SOME TEXT 3"}
}
},"",5,13,13,894575181,1,
{1}
}

I wrote and tested grok filter with Kibana grok debugger.

{%{DATESTAMP_EVENTLOG:date},%{GREEDYDATA:transaction-status},
{%{GREEDYDATA:transaction},%{GREEDYDATA:transaction-num}},%{INT:user},%{INT:computer-name},%{INT:application},%{INT:connection-num},%{INT:event-id},%{DATA:event-type},"%{TRULYGREEDY:comment}%{INT:metadata-id},
{"P",
{6,
%{GREEDYDATA:array1},
%{GREEDYDATA:array2}
}
},%{DATA:data-string}",%{INT:server-id},%{INT:main-port},%{INT:second-port},%{INT:session},%{INT:string-length},
%{GREEDYDATA:last-aray}
}

>>TRULYGREEDY (?<message>(.|\r|\n)*?(",))

Text in "SOME TEXT 1" can be up to 1000 strings.

So, I put grok filter into logstash config as is, but it doesn't seem to work.

filter {
  if [type] == "external1" {
        grok {
      patterns_dir => "/etc/logstash/patterns"
      match => {"message" => ['{%{DATESTAMP_EVENTLOG:date},%{GREEDYDATA:transaction-status},
                              {%{GREEDYDATA:trasaction},%{GREEDYDATA:trasaction-num}},%{INT:user},%{INT:computer-name},%{INT:application},%{INT:connection-num},%{INT:event-id},%{DATA:event-type},"%{TRULYGREEDY:comment}%{INT:metadata-id},
                              {"P",
                              {6,
                              %{GREEDYDATA:array1},
                              %{GREEDYDATA:array2}
                              }
                              },%{DATA:data-string}",%{INT:server-id},%{INT:main-port},%{INT:second-port},%{INT:session},%{INT:string-length},
                              %{GREEDYDATA:last-aray}
                              }'
                  ]}
    }
  }
}

Where I was wrong?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.