As you can see, these are "multiline" logs : the message is continuing in the next lines. But (as you can see too), they start again with the same pattern.
What I've done :
I've determined this multiline codec :
So if there are more than one blank space after the pattern, it's part of the previous log.
But here's the problem : How can I say to logstash to only take what is after the pattern ?
I've tried, and it give me something pretty weird.
I think you are looking for something like this. Obviously I cannot test this. But I am doing something similar, where anything not starting with a datestamp in the specific format is multiline. Work fine for my logs. multiline { pattern => "%{TIMESTAMP_ISO8601} %{POSINT} %{LOGLEVEL} (?:%{USERNAME}|\?) %{PROG}:\s" negate => true what => "previous" }
Here is my working code. I modified this to attempt to make yours work.
`
multiline {
pattern => "[%{DAY}-%{MONTHNUM}-%{MONTHDAY} %{TIME},"
negate => true
what => "previous"
}
I changed the end of my regex from " {1}" to " %{NOTSPACE}". It works again, but everything is concatenated dumbly.
I didn't find the equivalent of "stream_identity" in codec, so I'm stuck again.
Need help, anyone please
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
