Multiline log

pecwich · March 1, 2016, 5:48am

In a multiline log, can parsing or indexing of fields occur only in the first line? I want to parse fields present in the second or third line for example, what should I do?

magnusbaeck · March 3, 2016, 7:05am

That works but you may have to put (?m) at the beginning of the grok expression (which I assume is what you're using). For specific help please post an example message and your configuration.

pecwich · March 4, 2016, 6:01am

Like this is my input{

file {
path => "/home/.*.com"
type => "framework"
codec => multiline {

pattern =>

"(?(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
%{MONTH} (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
%{HOUR}:%{MINUTE}:%{SECOND} %{YEAR})"
negate => true
what => "previous"
}
}

and this is my filter:
grok{
match => [ "message" ,
"(?(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
%{MONTH} (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
%{HOUR}:%{MINUTE}:%{SECOND} %{YEAR}) %{GREEDYDATA}
(ID=:)(?[0-9]{2,3}.[0-9]{2,3}.[0-9]{2,3}.[0-9]{2,3}([0-9]{1}))" ]
}

And suppose this is my log:

Thu Feb 25 15:00:03 2016 nbdnclmlmc;lm [INFO] kjnclkklmc
nckdnlmvl;
nkcjlkmcp;
nmdmc;c; RID=:10.88.81.211(0)
jhcbdkjnclkasdncl

magnusbaeck · March 4, 2016, 6:38am

Always always always post configurations (especially those with regular expressions) formatted as code! Your snippet above is not copy/pasteable and I had to rewrite it just to get it past the syntax check. Because I don't know exactly what you have I don't know exactly what was wrong with it, but the following works:

$ cat test.config 
input {
  stdin {
    codec => multiline {
      pattern => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
      negate => true
      what => "previous"
    }
  }
}
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => [
      "message",
      "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR} %{GREEDYDATA}; RID=:%{IP:ip}"
    ]
  }
}
$ cat data 
Thu Feb 25 15:00:03 2016 nbdnclmlmc;lm [INFO] kjnclkklmc
nckdnlmvl;
nkcjlkmcp;
nmdmc;c; RID=:10.88.81.211(0)
jhcbdkjnclkasdncl
Thu Feb 25 15:00:03 2016 nbdnclmlmc;lm [INFO] kjnclkklmc
nckdnlmvl;
nkcjlkmcp;
nmdmc;c; RID=:10.88.81.211(0)
jhcbdkjnclkasdncl
$ /opt/logstash/bin/logstash -f test.config < data
Settings: Default pipeline workers: 8
Logstash startup completed
{
    "@timestamp" => "2016-03-04T06:37:33.464Z",
       "message" => "Thu Feb 25 15:00:03 2016 nbdnclmlmc;lm [INFO] kjnclkklmc\nnckdnlmvl;\nnkcjlkmcp;\nnmdmc;c; RID=:10.88.81.211(0)\njhcbdkjnclkasdncl",
      "@version" => "1",
          "tags" => [
        [0] "multiline"
    ],
          "host" => "lnxolofon",
            "ip" => "10.88.81.211"
}
Logstash shutdown completed

pecwich · March 4, 2016, 9:09am

GREEDYDATA does not capture the new line character, right? So how did it parse the RID?
You didn't even use (?m).

magnusbaeck · March 4, 2016, 9:11am

I would've expected (?m) to be necessary but I don't remember its exact semantics.

Topic		Replies	Views
Parsing multiline logs in Logstash Logstash	4	2707	July 20, 2017
Parsing a multiline log Logstash	11	1934	July 6, 2017
Multiline parsing error Logstash	2	219	January 3, 2021
How to get logstash to parse multi-line fields into multiple lines Logstash	2	558	June 6, 2019
Parsing multiline logs : line + xml Logstash	10	6634	July 6, 2017

Multiline log

Related topics