Multiline pattern on basis of timestamp

Suresh_Pal · July 2, 2018, 9:39am

I'm trying to implement multiline pattern on the basis of timestamp.

My grok pattern in logstash are as follows:

match => { "message" => "(?m)%{TIMESTAMP_ISO8601:timestamp}\s*-\s*%{LOGLEVEL_TEST:level}\s*-\s*%{GREEDYDATA:restOfMsg}" }

multiline.pattern: '^[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

but I'm not able to achieve the same. please help

adrisr · July 2, 2018, 1:19pm

Hi,

There seems to be a mistake in your multiline.pattern regular expression.

multiline.pattern: '^[[0-9]{4}-[0-9]{2}-[0-9]{2}'

Either you escape the first square bracket ( '^\[[0-9...) or remove it altogether ( '^[0-9...)

It depends on whether your logs start with an actual bracket ([2018-06-28...) or not.

Suresh_Pal · July 3, 2018, 6:44am

my date start without bracket
2018-07-03 02:44:08,541 CustomLogWrapper.java 51 [http-nio-8080-exec-2862] ERROR - Tenant Name : Default There is some Runtime Exception for the user number 1.
Exception Message: null

Suresh_Pal · July 3, 2018, 6:54am

i want separate the logs in the basis 2018-07-03 02:44:08,541. Please look into attached screenshot. i'm getting multiple stamp within same stamp.

adrisr · July 3, 2018, 8:14am

So, what you want is:

Every line that starts with a date is a new log.
Every line that doesn't start with a date belongs to the previous line with a date.

The configuration for this is:

 multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
 multiline.negate: true
 multiline.match: after

Have a look at the documentation for this and other examples.
https://www.elastic.co/guide/en/beats/filebeat/current/_examples_of_multiline_configuration.html

Suresh_Pal · July 3, 2018, 8:47am

Thanks man, its working now.

system · July 31, 2018, 8:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.