S3 input plugin with multiline codec. Last one is always lost

Den3 · December 22, 2015, 3:13am

I have log format like this

<<<\n
Accept:application/json, text/javascript, */*; q=0.01\r\n
Content-Type:application/x-www-form-urlencoded; charset=UTF-8\r\n
Origin:https://discuss.elastic.co\r\n
Referer:https://discuss.elastic.co/c/logstash\r\n
\r\n
<soap><a><b></b></a></soap>
>>>\n

and my logstash.conf

input {
    s3 {
        codec => multiline {
             pattern => "<<<\n"
             negate => true
             what => "previous"
        }
    }
}

output {
    elasticsearch {
        host => "192.168.99.100:9200"
        index => "tt"
    }
}

With this config, I always lose last one log.
for example, I have 450 logs but only 449 logs in Elasticsearch.

How could I solve this problem ?
Or I should not use multiline codec ?

English is not my mother language, if any word is offensive, please tell me.

Thank you

RileyShu · August 16, 2016, 6:34pm

Same here!

Topic		Replies	Views
Multiline Plugin - metadata missing from last line Logstash	4	615	July 20, 2018
Multiline Codec Not Retrieving Any Data Logstash	2	514	February 27, 2017
Logstash 7.1.1 - codec multiline filter loses last line Logstash	1	258	July 18, 2019
S3 input logs are not being parsed line by line Logstash	1	391	June 25, 2019
Codec multiline in output section Logstash	8	400	October 25, 2019

S3 input plugin with multiline codec. Last one is always lost

Related topics