Multiline pattern for javaserver log not working

Hello team,
I am trying to write multline pattern for below log line. But it is not working.
It is displaying seperate line for each "at" record. Can you please help me on this to write multiline pattern

Log line:

[2022-02-10T00:02:06,971][ERROR][o.e.x.i.IndexLifecycleRunner] [es-master-1] policy [index-less-than-30-days] for index [akl-netsec-ctm-2022.01.11] failed on step [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}]. Moving to ERROR step
java.lang.IllegalArgumentException: index.lifecycle.rollover_alias [akl-netsec-ctm] does not point to index [akl-netsec-ctm-2022.01.11]
        at org.elasticsearch.xpack.core.ilm.WaitForRolloverReadyStep.evaluateCondition(WaitForRolloverReadyStep.java:156) [x-pack-core-7.16.2.jar:7.16.2]
        at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.runPeriodicStep(IndexLifecycleRunner.java:226) [x-pack-ilm-7.16.2.jar:7.16.2]
        at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:408) [x-pack-ilm-7.16.2.jar:7.16.2]
        at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggered(IndexLifecycleService.java:339) [x-pack-ilm-7.16.2.jar:7.16.2]
        at org.elasticsearch.xpack.core.scheduler.SchedulerEngine.notifyListeners(SchedulerEngine.java:186) [x-pack-core-7.16.2.jar:7.16.2]
        at org.elasticsearch.xpack.core.scheduler.SchedulerEngine$ActiveSchedule.run(SchedulerEngine.java:220) [x-pack-core-7.16.2.jar:7.16.2]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]

Multiline pattern:

  multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}[T]{1}[0-9]{2}:[0-9]{2}:[0-9]{2}'
  multiline.negate: true
  multiline.match: after
  fields_under_root: true

Hello!

I tested a regexp similar to yours with no major problems. Since you did not post your full configuration I am going to guess that maybe you are using the filestream input and the multiline parser is not properly configured. If using the log input the config should look like:

- type: log
  enabled: true
  paths:
    - 'sample.log'
  multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(,[0-9]{3})?'
  multiline.negate: true
  multiline.match: after
  fields_under_root: true

While if using the filestream input:

- type: filestream
  enabled: true
  paths:
    - 'sample.log'
  parsers:
    - multiline:
        pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(,[0-9]{3})?'
        negate: true
        match: after
  fields_under_root: true

Hope that helps!

Awesome it worked . Thank you so much I am trying this from last two days

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.