Multiple patterns for Multiline Configuration?

TimTim · October 15, 2015, 11:07am

I am wondering if it is possible to have mulitple patterns in the multiline configuration or Logstash (running 1.4.5 at the moment)?

The reason is that we have several log files coming in that we want to go to the same output (Elasticsearch). But:

those logfiles have different syntaxes
all come from the same machine
input is set with tcp { ... } and use the same port

The online help doesn't mention anything about this ....

Or is there another way to catch the different logs at input so I can add a field or tag to be able to handle them during filter ???

warkolm · October 16, 2015, 6:14am

I don't think so.

Are the two different multiline events the same general pattern, eg same type/pattern/what? If so you could just grab each multiline event and then run separate groks on them?

TimTim · October 16, 2015, 7:06am

They have different patterns, which is my big problem.

But I solved it by sending them through another port. Then I can add a tag or field during input. Add the same "type" to them, but in the "filter" I can use if statements now based on the added tag/field and apply the different multiline patterns.
All goes to the same output now as I want.