hi, i have a problem when a ln or \n exist in message text. my filter grok is
match=>{"message" => "<%{DATA:timestamp}> <%{WORD:Severity}> <%{WORD:Subsystem}> <%{HOSTNAME:ServerName}> <%{HOSTNAME:Instancia}> <%{DATA:Thread}> <<%{DATA:Kernel}>> <%{DATA:UserId}> <%{NOTSPACE:MsgId}> <%{DATA:MsgText}>"
and work ok, but when field MsgText have a ln or \s fail.
Below, in the image of the weblogic log, after "java:726)" comes a line break and this causes the field reading to fail
What does your event look like? Are you doing multiline processing? If so, is it in filebeat or are you using a multiline codec in logstash? The codec has an example in the documentation of how to handle Java stack traces.
You need to provide more detail about your configuration. Get the entire message into a single event before you start worrying about how to configure the grok filter.
thank you, i fixed it by changing the %{DATA:MsgText} field to (?(.|\r|\n)*). With this change, the line breaks in the text are controlled
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
