Parsing Failed for multiline starts with dd MMM yyyy HH:mm:ss,SSS

Anuj_Rajput · May 7, 2018, 1:47pm

Parsing Failed for multiline starts with dd MMM yyyy HH:mm:ss,SSS
Sample log : 06 May 2018 18:25:01,021 Some Multiline Text
Below configuration is used
input {
file {
path => "/Some/Loactions/*.log"
type => "api_access"
codec => multiline {
pattern => "^{TIMESTAMP_ISO8601:timestamp} "
negate => true
what => "previous"
}
date {
"match" => [ "timestamp", "dd MMM yyyy HH:mm:ss,SSS" ]
target => "@timestamp"
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

magnusbaeck · May 8, 2018, 7:46pm

That's not an ISO8601 date so don't use the TIMESTAMP_ISO8601 pattern. Also, the multiline codec isn't a grok filter so you can't create new fields with it.

system · June 5, 2018, 7:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.