Multiline message problem

Rutger2000 · April 2, 2020, 9:05am

Hello,

I'm parsing multiline messages to elastic using Logstash. 99,9% of the messages are parsed correctly, but a small part is not. As far as I can see I'm not getting any errors. The messages that are not parsed correctly are available in elastic, but somehow the original timestamp is removed from the message and is given the timestamp of the moment the messages was parsed. Also none of the information in the messages is indexed. Some help would be nice.

script:

input {

file {
path => ["C:/path"]
sincedb_path => "nul"
start_position => "beginning"
mode => "read"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
max_lines => 100000
auto_flush_interval => 1
}
}
} #end input

filter{

fingerprint {
source => "message"
target => "[@metadata][fingerprint]"
method => "MURMUR3"
}

grok{
match => {
"message" => ["%{TIMESTAMP_ISO8601:timestamp}%{GREEDYDATA:rest}"]
}
}

grok{
match => {
"rest" => ['value1%{SPACE}=%{SPACE}%{DATA:field1}\r']
}
}

grok{
match => {
"rest" => ['value2%{SPACE}=%{SPACE}%{NUMBER:field2}']
}
}

grok{
match => {
"rest" => ['value3%{SPACE}:%{SPACE}%{NOTSPACE:field3}']
}
}

if [field1] == "100" {

grok{
  match => {
    "rest" => ['value4.%{SPACE}:%{SPACE}%{GREEDYDATA:field4}']
  }
}

}

grok{
  match => {
    "value5" => ['%{GREEDYDATA:field5}\n']
  }
}

dissect {
mapping => {
'field5' => "%{value6->} %{value7->} "
}
}

ruby {
  code=> "
    mat = event.get('value8').scan(/value9[2-3]([A-Z]+ [0-9]+)/)
    event.set('field10', mat.flatten)
            "
}

} # end if1

date{
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
timezone => "Europe/London"
target => "@timestamp"
}

if [id_kort] != "value11" and "value12" in [message] {
mutate {
add_field => { "field14" => "%{value13}%{value14}" }
}
}

mutate {
remove_field=> ["field4"]
gsub=> ["field15", " ", ""]
strip=> ["field2", "field3"]
}

} # end filter

output {

elasticsearch{
hosts => "localhost:9200"
document_id => "%{[@metadata][fingerprint]}"
index => "name1"
}

} # end output

logfile:

2019-12-16 08:00:00 message received; id=105
field1: value1
field2: value2
field3:value3
2019-12-16 08:00:01 message received; id =107
field1: value5
field2: value6
field3:value7
2019-12-16 08:00:03 messega received; id =110
field1: value8
field2: value9
field3: value10

Badger · April 2, 2020, 1:07pm

Is it possible that messages are being split across events due to the low value for the auto flush interval?

Rutger2000 · April 2, 2020, 2:38pm

That's it! Thanks so much Badger, unlimited Kudo's for you!!!

system · April 30, 2020, 2:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to handle message receive multiline in logstash Logstash	1	300	January 23, 2020
Need to parse multi-lines log message Logstash	4	124	May 27, 2024
Multiline parsing error Logstash	2	219	January 3, 2021
Duplicated message in document, grok pattern problem Logstash	3	261	March 31, 2022
Hi, I am new to ELK. Trying to parse the date inside the multiline messages as timestamp. Let me know what config file to be used Logstash	8	1039	July 6, 2017

Multiline message problem

Related topics