Multiline Logstah file txt

Daniel_Bergmann · August 3, 2020, 6:33pm

I have a TXT file that I want to import into Elasticsearch via LogStash,

it is a fixed type of columns, in which I used grok and if to separate the columns of this file, that's fine, but I want to use the multiline to get 'n' lines that will be inserted / consolidated in the same document in Elastic.
Each line of the file the first column is the type line, (it can be 1,2, or 3) and I would like to consolidate everything below 1 an event in the logstash, it closes the event when the next line is 1, it follows an example of lines in the txt file:

LINE 1:
1 ....
LINE 2:
2 ....
LINE 3:
2 ....
LINE 4:
3 ....
LINE 5:
1 ....
LINE 6:
1 ....
LINE 7:
2 ....
LINE 8:
1 ....

in the output it would be like this:
LINE 1, 2, 3, 4 - document elastic _id
LINE 5 - another document elastic _id
LINE 6 and 7 - another document elastic_id
LINE 8 - another document elastic_id

I have been researching but I can't find a correct pattern for this or not to do for Lostash but for a python reading the file and consolidating it into an array.

Can someone help me ?

Thank you
Daniel

Badger · August 3, 2020, 7:33pm

Are "LINE 1:" etc just labels in your example or do they actually exist in the data?

Are you using a file input? If so, you might be able to do this with a multiline codec on the input. Alternatively an aggregate filter.

Daniel_Bergmann · August 3, 2020, 8:11pm

Hi Badger, LINE 1: don´t exist only first column in line is (1,2 or 3)

yes a using file input.

Thank you

Badger · August 3, 2020, 8:42pm

On the file input use

codec => multiline { pattern => '^1' negate => true what => previous auto_flush_interval => 1 }

then if you use mutate+split, with a literal newline in the configuration

    mutate { split => { "message" => "
" } }

you will get events like

{
"@timestamp" => 2020-08-03T20:40:30.716Z,
  "@version" => "1",
   "message" => [
    [0] "1 ....",
    [1] "2 ....",
    [2] "2 ....",
    [3] "3 ...."
],
      "tags" => [
    [0] "multiline"
],
      "host" => "myhost,
      "path" => "/home/user/foo.txt"
}

Daniel_Bergmann · August 3, 2020, 11:54pm

Thank you it´s work, How do I apply grok to each line of the array [0] [1] [2] to separate the fields ?

Regards,
Daniel

Badger · August 4, 2020, 12:37am

I believe if you ask grok to match against a field that is an array it will iterate over the entries and try the pattern or patterns against each one. You may or may not like how it presents the results. I suggest you try it.

Daniel_Bergmann · August 4, 2020, 11:53am

Thank you answer, but howto make ? how scan array ?

Thanks

system · September 1, 2020, 11:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Different multilines in one input Logstash	5	681	June 29, 2017
Config file for multiple multi-line patterns? Logstash	9	2311	June 24, 2021
Logstash multiline codec plugin Logstash	4	260	July 16, 2018
Multiline Codec Not Retrieving Any Data Logstash	2	514	February 27, 2017
How to parse the multiline json file through logstash Logstash	7	18328	July 6, 2017

Multiline Logstah file txt

Related topics