Recover only a part of a log with multiline codec

Justin_V · February 26, 2016, 8:35am

Hello again,

I'm now having trouble with some particular logs.

As you can see, these are "multiline" logs : the message is continuing in the next lines. But (as you can see too), they start again with the same pattern.

What I've done :
I've determined this multiline codec :

codec => multiline{
patterns_dir => "./patterns"
pattern => "^%{TIMESTAMP_ISO8601} %{POSINT} %{LOGLEVEL} (?:%{USERNAME}|?) %{PROG}: {1}"
negate => true
what => previous
}

So if there are more than one blank space after the pattern, it's part of the previous log.
But here's the problem : How can I say to logstash to only take what is after the pattern ?
I've tried, and it give me something pretty weird.

Thanks in advance for the help.

Roy_K · February 26, 2016, 3:33pm

I think you are looking for something like this. Obviously I cannot test this. But I am doing something similar, where anything not starting with a datestamp in the specific format is multiline. Work fine for my logs.
multiline { pattern => "%{TIMESTAMP_ISO8601} %{POSINT} %{LOGLEVEL} (?:%{USERNAME}|\?) %{PROG}:\s" negate => true what => "previous" }
Here is my working code. I modified this to attempt to make yours work.
`
multiline {
pattern => "[%{DAY}-%{MONTHNUM}-%{MONTHDAY} %{TIME},"
negate => true
what => "previous"
}

`

Justin_V · February 26, 2016, 3:55pm

As I said to you in your post : reverse effect. My issue is probably only my pattern, and I will find what i've done wrong

Justin_V · February 29, 2016, 12:56pm

I changed the end of my regex from " {1}" to " %{NOTSPACE}". It works again, but everything is concatenated dumbly.
I didn't find the equivalent of "stream_identity" in codec, so I'm stuck again.
Need help, anyone please