Multiline parsing error

Muhammad_Faisal · December 6, 2020, 12:31pm

hi all,

i am using multiline to parse below log format...1 log entry is separated by either line which appears as "!-----New----------" or "------------!" ..... i am using below regex ,although its segregating log entries but in the "message" field its also sending the regex pattern lines "!-----New----------" or "------------!" ...how to make sure multiline shall only send "key:value" in message field

          pattern => "(^!-+.*?-+)|(-+!)"
           negate => true
          what => "previous"
      }
grok {
        `match => { "message" => "%{GREEDYDATA:logs}"}
     
     }

!----- New ---------------------------------------------------------------
key : value
key : value
key : value
!----- Event ---------------------------------------------------------------
key : value
key : value
key : value
---------------------------------------------------------------------------!
!----- New ---------------------------------------------------------------
key : value
key : value
key : value
---------------------------------------------------------------------------!
!----- New ---------------------------------------------------------------

Output:

"message" => "!----- New ----------------------------------------\n Key:value

Badger · December 6, 2020, 3:46pm

That is not possible. The multiline codec combines the lines in a file, it does not modify them.

You can use mutate+gsub to remove text from the message field. For example

mutate { gsub => [ "message", "^!-+New-+", "" ] }

system · January 3, 2021, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.