Regexp pattern not working

marcmga · February 15, 2016, 5:28pm

Hi,

I'm using this configuration to multiline all logs till a timestamp or an ip is found.
I started with timestamp, but it ignores the pattern.

filebeat:
 # List of prospectors to fetch data.
 prospectors:
 -
  paths:
   - /opt/tomcat/logs/tomcat.*.log
  input_type: log
  document_type: filebeat
  scan_frequency: 60s
  fields:
   host: xxxx
  fields_under_root: true
  multiline:
    pattern: ^([0-9]{4})(-?)(1[0-2]|0[1-9])(-?)(3[01]|0[1-9]|[12][0-9])[[:space:]](2[0-3]|[01][0-9]):?([0-5][0-9]):?([0-5][0-9])$
    negate: true
    match: after
    max_lines: 200
    timeout: 2s
  tail_files: true
  registry_file: /var/lib/filebeat/registry

output:
  logstash:
   hosts: ["x.x.x.x:5044"]
shipper:
  logging:
   files:
    rotateeverybytes: 10485760 # = 10MB

logstash receives the log in multiline format, but ignores if it receives a timestamp and marge all content.

What am i doing wrong?

Thanks

magnusbaeck · February 15, 2016, 6:26pm

And a couple of example lines of input, as requested earlier?

marcmga · February 16, 2016, 7:46am

Hi Magnus,

2016-02-15 16:06:00 ERROR BingoChampions [pool-54-thread-1] [StandardIntegrationImpl.java:650] Finalizado proceso de historificacion de transacciones
        at sun.reflect.GeneratedConstructorAccessor594.newInstance(Unknown Source) ~[na:na]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.6.0_34]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:534) ~[na:1.6.0_34]

If the log looks like that, never sends to logstash, because when i disable multiline and restart filebeat, it sends all messages remaining.

Thanks

magnusbaeck · February 16, 2016, 8:19am

Your multiline pattern doesn't match the input line. There might be several reasons for that, but the most obvious one is that you end the pattern with time and a dollar sign,

[[:space:]](2[0-3]|[01][0-9]):?([0-5][0-9]):?([0-5][0-9])$

but the actual line from the log contains extra text after the time.

marcmga · February 16, 2016, 8:27am

Hi Magnus, thanks for early response.
As in logstash multiline filter, i though that if it finds the pattern (just a piece of it) it processes. I did like this and worked in logstash.
I mean, it finds the pattern at the beggining of the line, nevermind what comes after that because it finds the pattern at the beggingin fo the line.
Am i wrong? if so, how to proceed?

Thanks again

magnusbaeck · February 16, 2016, 8:38am

The dollar sign means "end of string". Your string doesn't end after the time marker. Remove the dollar sign.

marcmga · February 16, 2016, 9:53am

Magnus, as always ou solved, that was the pb...
Starting this topic, i write that i wanted to check if theres a timestamp or an ip. I have ip regexp, but i tried to put it with and or between both regexp (timestampt and ip) and not working.

((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)