Multiline Pattern for Logs in Kibana

sumit-kashyap · July 23, 2019, 7:32am

Can you please help me to how I can see my logs in different lines differ by minutes and seconds.
My logs are as under:
Jul 22, 2019 1:23:05 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/tomcat-7.0.42/webapps/Demo_Portal-hook
Jul 22, 2019 1:23:07 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/tomcat-7.0.42/webapps/Demo_ManageUsers-portlet
Jul 22, 2019 1:23:10 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/tomcat-7.0.42/webapps/Demo_ServiceManagement-portlet

Groc pattern:
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:application_timestamp} %{WORD:severity} %{GREEDYDATA:application_message}" }
}

Now my logs are coming in Kibana as:

Jul 22, 2019 1:23:52 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/tomcat-7.0.42/webapps/Demo_Theme-theme
Jul 22, 2019 1:23:55 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/tomcat-7.0.42/webapps/Demo_Network

But I want them in multiple lines for every second. Also I want to club the messages starting from At

Badger · July 23, 2019, 3:34pm

Is that 3 lines or 6?

sumit-kashyap · July 24, 2019, 7:04am

These are 3 logs starting with timestamp differ by seconds. I want to see them in different lines.

Badger · July 24, 2019, 12:25pm

Try

    grok {
        pattern_definitions => { "CUSTOMTS" => "%{MONTH} %{MONTHDAY}, %{YEAR} %{TIME} (AM|PM)" }
        match => { "message" => "%{CUSTOMTS:application_timestamp} %{JAVACLASS:class} %{WORD:something} %{LOGLEVEL:level}: %{GREEDYDATA:application_message}" }
    }

sumit-kashyap · July 25, 2019, 7:24am

Not working for me.

new-groc

My current logs are coming in this format. I want them to arrange in better way i.e logs starting from at in different lines with no space in starting.

Badger · July 25, 2019, 1:07pm

That is a completely different format to the other examples you gave, so you will need a different grok pattern.

sumit-kashyap · July 25, 2019, 1:27pm

Can you please give some idea?

Do I need to change multiline pattern in filebeat
I have changed my Conversion Pattern to get the logs in timestamp format. Actually I need that it should read logs according to timestamp as I had shown in logs , starting with Jul 22, 2019 1:23:05 PM

system · August 22, 2019, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.