Parsine multiline in logstash

Hi every body,
i have a log file like below:

Line1 : 17:13:41,971 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host]] (http-/0.0.0.0:10805-7) JBWEB000313: Exception processing error page /error/error.
Line2 :17:13:42,035 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/clientV3].
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          more......
         Caused by: This is the line I want to capture

My pipeline is:

    input {
            file {
            path => "c:/logstash.log"
            start_position => "beginning"
            sincedb_path => "/dev/null"
            codec => multiline {
            pattern => "^%{TIMESTAMP_ISO8601} "
            negate => true
            what => previous
       }
            }
    }
    filter {

    grok{
    	  match => { "message" => "%{TIME:date} %{LOGLEVEL:level} %{GREEDYDATA:message}" }
        add_tag => [ "groked" ]
        remove_tag => ["_grokparsefailure"]
    	}
    }
    output {
    if	"ERROR" in [level]
    {
    elasticsearch {
      hosts=>"localhost:9200"
      index => "errors"
      document_type => "error"
     }}
    stdout { codec => rubydebug }
    }

Note:1-when i don't use multiline plugin,i get some result relatively correct.but in the line 2 its shows just the first line it doesn't continue to show after at....
2-when i use multiline plugin it doesn't shwo 17:13:42,035 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host]..it starts for example from the seconde at..

any help would be greatly appreciated

Your messages don't begin with an ISO8601 timestamp so TIMESTAMP_ISO8601 is the wrong pattern to use. Perhaps TIME will work better?

Thank you so much.you are totaly right.it works now fine.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.