Multiline Logstash


#1

Hi I am using multilint to extract data from
Sample Log
[This
*'create' => *
array (
'key1' => 'value1',
'key2' => 'value2',
'key6' => 'value3'
),
)
[2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line

Code Snippet
filter{
multiline{
pattern => "^[This.*"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
}

The above code snippet doesn't work.
What am I missing???


#2

Any Thoughts on this???


(Christian Dahlqvist) #3

I wonder if your pattern should just go as far as the first square bracket as it otherwise will not match the line that you are dropping. As it is now I would expect this example to form a single line and be dropped. If you output the lines you want to drop to a file instead it might be easier to see what is dropped and figure out why.


#4

Sample Log:
11 This 96.112.248.81
'create' =>
array (
'key1' => 'value1',
'key2' => 'value2',
'key6' => 'value3'
),
)
[2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line
Code Snippet 1

filter {
multiline{
pattern => "[0-9]*\s+%{DATA}\s+%{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n"
#value_split => ":"
source => "message"
}
}

Code Snippet 2

filter {
multiline{
pattern => "^11 This %{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n"
source => "message"
}
}

Code Snippet 1 Works and Code Snippet 2 doesn't work.
Only difference is pattern in multiline.
In Snippet 1 pattern is "[0-9]*\s+%{DATA}\s+%{IP}"
In Snippet 2 pattern is "^11 This %{IP}"

Can you figure out mistake am doing in Snippet 2???


#5

Any Thoughts on this??


(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.