Multiline Logstash

Hi I am using multilint to extract data from
Sample Log
[This
*'create' => *
array (
'key1' => 'value1',
'key2' => 'value2',
'key6' => 'value3'
),
)
[2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line

Code Snippet
filter{
multiline{
pattern => "^[This.*"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
}

The above code snippet doesn't work.
What am I missing???

Any Thoughts on this???

I wonder if your pattern should just go as far as the first square bracket as it otherwise will not match the line that you are dropping. As it is now I would expect this example to form a single line and be dropped. If you output the lines you want to drop to a file instead it might be easier to see what is dropped and figure out why.

Sample Log:
11 This 96.112.248.81
'create' =>
array (
'key1' => 'value1',
'key2' => 'value2',
'key6' => 'value3'
),
)
[2014-03-02 17:34:20] - 127.0.0.1|DEBUG| flush_multi_line
Code Snippet 1

filter {
multiline{
pattern => "[0-9]*\s+%{DATA}\s+%{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n"
#value_split => ":"
source => "message"
}
}

Code Snippet 2

filter {
multiline{
pattern => "^11 This %{IP}"
what => "previous"
negate=> true
}
if "|DEBUG| flush_multi_line" in [message]{
drop{} # We don't need the dummy line so drop it
}
kv {
field_split => "\n"
source => "message"
}
}

Code Snippet 1 Works and Code Snippet 2 doesn't work.
Only difference is pattern in multiline.
In Snippet 1 pattern is "[0-9]*\s+%{DATA}\s+%{IP}"
In Snippet 2 pattern is "^11 This %{IP}"

Can you figure out mistake am doing in Snippet 2???

Any Thoughts on this??

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.