Need help using "Logstash multiline codec" to parse below oswatcher log lines

saurabhc · August 6, 2020, 2:32pm

I have logs from oswatcher which looks like below.

zzz ***Thu Jul 23 14:00:31 UTC 2020
MemoryTotal:       100831888 kB
MemoryFree:         1212388 kB
MemoryAvailable:   49997588 kB
zzz ***Thu Jul 23 14:01:02 UTC 2020
MemoryTotal:       100831888 kB
MemoryFree:         1188012 kB
MemoryAvailable:   49975416 kB
zzz ***Thu Jul 23 14:01:33 UTC 2020
MemoryTotal:       100831888 kB
MemoryFree:         1139428 kB
MemoryAvailable:   49944268 kB
zzz ***Thu Jul 23 14:02:03 UTC 2020
MemoryTotal:       100831888 kB
MemoryFree:         1147540 kB
MemoryAvailable:   49949120 kB

In this example, I want to parse from "line starting with zzz" to the next occurrence of "line starting with zzz" as a single line (using the multiline codec).
How I can use the multiline codec for this.
Only in case of the last occurrence of "line starting with zzz", the end of multiline would be end of file.

OR,
Is there any other alternative to do this.

Objective: I want output csv with each row having timestamp,MemoryTotal,MemoryFree,MemoryAvailable values.

saurabhc · August 6, 2020, 2:34pm

Similarly, I need to parse outputs from TOP, VMSTAT, PS etc commands where the outputs starts with a "line starting with zzz".

Badger · August 6, 2020, 2:34pm

Try

codec => multiline {
    pattern => "^zzz"
    negate => "true"
    what => "previous"
    auto_flush_interval = 10
}

saurabhc · August 6, 2020, 4:18pm

Thank You! It worked.

system · September 3, 2020, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.