Solution for multiple patterns for multiline configuration

Marine · March 8, 2016, 4:49pm

In the multiline documentation the setting "pattern" is a string and it's not possible to put an array of patterns, but I have a really hard logfile to parse and I need to do something similar.

I have two type of logs in the SAME FILE and sometimes they are on multiple lines as following :

2016-02-16 17:25:35,241 foo foo foo foo
        foo foo foo foo
        foo foo foo foo
        foo foo foo foo
        foo foo foo foo
Wed Feb 17 09:59:28 CET 2016 foo foo foo foo
        foo foo foo foo
        foo foo foo foo
        foo foo foo foo

I tried to do two multiline or something as following but without sucess :

 multiline{
      pattern => "((^%{TIMESTAMP_ISO8601}%{SPACE})|(^%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{WORD} %{YEAR}))"
      what    => "previous"
      negate  => true
    }

How can I do a multiline codec matching my logs on multiple lines ?

Thanks

magnusbaeck · March 9, 2016, 8:56pm

There's probably a small error in your expression. I don't see why an expression on the form ^(expr1|expr2) wouldn't work.

Marine · March 10, 2016, 12:47pm

@magnusbaeck Yes thank you, I changed my expression and it's working now

Topic		Replies	Views
Multiple patterns for Multiline Configuration? Logstash	3	1487	July 6, 2017
Multiple Mulitiline Patterns? Logstash	3	598	June 28, 2017
Config file for multiple multi-line patterns? Logstash	9	2298	June 24, 2021
Multiple patterns in multiline codec Logstash	1	880	July 6, 2017
[Need Help] Multiple pattern in one log file Logstash	5	1632	July 6, 2017

Solution for multiple patterns for multiline configuration

Related topics