My multiline input codec is broken

ibrahimsharaf · April 12, 2017, 5:21pm

Hello I am using a multiline input codec to merge all the lines starting with either a whitespace or {' with the previous one, here's a snippet of my log file (http://codepad.org/vAMFhhR2), I want this snippet to be parsed as a single event.

here's my input section:

input {
    tcp {
        port => 5000
        codec => multiline {
            pattern => "^(\s|{')"
            what => "previous"
        }
    }
}

the codec processes the log above into 2 separate events (http://codepad.org/gNGvbi4j), (http://codepad.org/qvRjg925).

Can you point me to the problem?

ibrahimsharaf · April 12, 2017, 5:27pm

Another idea would be merging all the lines that don't start with a timestamp into the pervious line that has a timestamp, but I'm not sure how to code it.

system · May 10, 2017, 5:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.