[Need Help] Multiple pattern in one log file

SiegeLion · July 11, 2015, 4:40am

I am trying to send xtreemfs log files to logstash and parse them into elastic search

A problem with xtreemfs log files is that they begin with some thing like

########### Configuration ###########
# Stuff
# More Stuff
# More stuff
# Even more stuff
### End of configuration stuff

As you can see, two different patterns exist in one log file.

Is there a way for me to group the line beginning with # together in one single event? And then parse the rest of logs beginning with [ using another grok?
What is the proper way to handle this? I am using logstash 1.4.2.
Is parsing some thing like this well supported in logstash?

warkolm · July 11, 2015, 4:54am

If the lines begin in #, you can do a conditional and then drop them entirely.

SiegeLion · July 11, 2015, 5:03am

I don't want to drop them.

I still want to group them together and show them as one event.

warkolm · July 11, 2015, 5:05am

Then you will want to do a conditional but with a mutliline filter/codec.

SiegeLion · July 11, 2015, 5:50am

Hey Mark! Thanks for the great help.

I was able to group the # logs together with this codec under file input.

codec => multiline {
  pattern => "^\["
  negate => true
  what => previous
}

Now the multiline events are nicely tagged with "multiline" and allow me to do further processing if needed!

Topic		Replies	Views
Multiple patterns for Multiline Configuration? Logstash	3	1487	July 6, 2017
Solution for multiple patterns for multiline configuration Logstash	3	5916	July 6, 2017
Logstash XML file with multiple patterns Logstash	5	898	November 30, 2017
Multiple Multiline pattern based on a condition Beats filebeat	1	566	May 7, 2019
Logstash : parse multiple lines, each in one field in a single event Logstash	3	834	August 2, 2018

[Need Help] Multiple pattern in one log file

Related topics