Multiple Mulitiline Patterns?

Jaxon_Kochel · May 24, 2017, 2:59pm

I'm wondering if there is any way to have multiple multiline patterns. I see this post https://discuss.elastic.co/t/solution-for-multiple-patterns-for-multiline-configuration/43807

which looks like he got something to work. I'm trying to do exactly as he was and and looking to do:

codec => multiline {
       pattern => "(%{MONTHNUM}/%{MONTHDAY}/%{YEAR}) | (%{DATESTAMP})"
      negate => true
      what => "previous"
      max_lines => 1000
      auto_flush_interval => 3
    }

However, when I do this only the first pattern works, so only %{MONTHNUM}/%{MONTHDAY}/%{YEAR} works and DATESTAMP does not and any datestamp lines get thrown into one giant multiline. If I switch the order and have DATESTAMP | %{MONTHNUM}/%{MONTHDAY}/%{YEAR} then only datestamp will work and any MONTHNUM}/%{MONTHDAY}/%{YEAR} will get thrown into one giant multiline.

Any help is greatly appreciated.

magnusbaeck · May 28, 2017, 6:45pm

Watch out for the spaces surrounding "|". Do you really have a space before the DATESTAMP? Suggestion:

^%{MONTHNUM}/%{MONTHDAY}/%{YEAR})|%{DATESTAMP}

Jaxon_Kochel · May 31, 2017, 1:40pm

Magnus I did not try this, but it seems like it should work. I feel silly having put the spaces around the "|" before you responded I was able to solve this by using a more general pattern of "^%{NOTSPACE} ?-? ?%{TIME}" to solve all my needs.

system · June 28, 2017, 1:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.