Multiline matching not working as aspected

shani_angarkadu · August 11, 2018, 5:52pm

I have tried all the combinations of multiline.

multiline.pattern: '^([0-9]{4})-([0-1][0-9])-([0-3][0-9])\s([0-1][0-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9])$' //timestamp pattern
multiline.negate: true
multiline.match: after
taking all the lines as single line.

logs:

2018-12-02 00:06:50,395             SELECT DISTINCT eiup.login_id AS LoginId, up.is_super_user AS IsSuperUserCode,
      CASE WHEN up.is_super_user = 1 THEN 1 ELSE up.is_pie_user END AS IsPieUserCode,
            up.last_used_portfolio_id AS LastUsedPortfolio,
            WHERE eiup.login_id = :login_id <<INFO Nete.Ireport.Data.AppDbContext [t15]>>
2018-12-02 04:55:32,466 Response #63669473732326094014 for GET http://app/rest/competingappls/council?supplements=true&ic=OD <<INFO asssdds.Infrastructure.MessageLoggingInterceptor [t18]>>
2018-12-02 05:51:35,059 Request of sadada #6366947709505949325: GET http://app/rest/competingappls?loginId=BERNHARDEJ <<INFO asssasdsdad.Infrastructure.MessageLoggingInterceptor [t33]>>
2018-12-02 05:51:35,450 Opened connection at 8/10/2018 5:51:35 AM -04:00 <<INFO Data.AppDbContext [t33]>>
2018-12-02 05:51:35,450 Opened connection at 8/10/2018 5:51:35 AM -04:00 <<INFO .Data.AppDbContext [t33]>>

please help me. I have been trying from days.

Thanks,
Ram

Debashis · August 13, 2018, 6:10am

Hello @shani_angarkadu,

I think you want to create a multiline event that will consist lines from Line-1 to Line-4
and the rest Line-5 to Line-8 will be published as a single line event as per you suggested logs.

If my understanding is correct then you can get it by configuring

multiline.pattern: '^[1]{4}-[0-9]{2}-[0-9]{2}'

Please let me know further

0-9 ↩︎

shani_angarkadu · August 14, 2018, 12:10am

thank you.

Actually, my pattern match was wrong.

Thanks again

Debashis · August 14, 2018, 4:04am

Hi @shani_angarkadu,

Kindly Marked is as solved

Debashis · August 16, 2018, 4:47am

Hi @shani_angarkadu,

This is the filebeat discussion forum kindly post this query in logstash dicussion forum. Please remove this query from here and mark this discussion as solved.

system · September 13, 2018, 4:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.