Hi I am using multilint to extract data from Sample Log [This
*'create' => * array ( 'key1' => 'value1', 'key2' => 'value2', 'key6' => 'value3' ), ) [2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line
Code Snippet
filter{
multiline{
pattern => "^[This.*"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
}
The above code snippet doesn't work.
What am I missing???
I wonder if your pattern should just go as far as the first square bracket as it otherwise will not match the line that you are dropping. As it is now I would expect this example to form a single line and be dropped. If you output the lines you want to drop to a file instead it might be easier to see what is dropped and figure out why.
Sample Log:
11 This 96.112.248.81
'create' =>
array (
'key1' => 'value1',
'key2' => 'value2',
'key6' => 'value3'
),
)
[2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line Code Snippet 1
filter {
multiline{
pattern => "[0-9]*\s+%{DATA}\s+%{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n" #value_split => ":"
source => "message"
}
}
Code Snippet 2
filter {
multiline{
pattern => "^11 This %{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n"
source => "message"
}
}
Code Snippet 1 Works and Code Snippet 2 doesn't work.
Only difference is pattern in multiline.
In Snippet 1 pattern is "[0-9]*\s+%{DATA}\s+%{IP}"
In Snippet 2 pattern is "^11 This %{IP}"
Can you figure out mistake am doing in Snippet 2???
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.