Subsequently get only first line of multi-line grok

RobT · October 30, 2015, 2:40pm

So, I'm retrieving a multi-line input just fine and storing in message. However, for throttling purposes I'd like to also just consider the first line so I'm trying to break the multi-line message up. I'm trying this:

grok {
  match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp} \[%{NUMBER:threadId}\] %{LOGLEVEL:level} %{DATA:logger} %{GREEDYDATA:message}" ]
  overwrite => [ "message" ]
  tag_on_failure => ["error_message_not_parsed"]
  break_on_match => false
}

...

# create a copy of the message
mutate {
	add_field => { "message_array" => "%{message}" }
}

# make new copy become an array whereby each line is an element
mutate {
	split => { "message_array" => "\n" }
}

# keep first line only
mutate {
	replace => { "message_array" => "%{[message_array][0]}" }
}	

# let's throttle events after first occurrence each 5 minutes for email purposes
throttle {
	before_count => -1
	after_count => 1
	period => 300
	key => "%{city}%{message_array}"
	add_tag => "throttled"
}

message_array is still the same as message however ( not just the first line ), so appears I'm doing something wrong with the split?

RobT · October 30, 2015, 7:11pm

It was the mutate split on "\n" that does not work - worked around using:

ruby {
   code => "event['message_array'] = event['message_array'].split(/\n/)"
}

Topic		Replies	Views
Split a string to array/list, greedy match Logstash	3	495	December 30, 2020
How to grok a multiline message? Logstash	8	11779	July 30, 2019
Multiline message problem Logstash	3	326	April 30, 2020
How do I get the first 2 lines of a multiline log using logstash 2.4.0? Logstash	1	1125	November 30, 2017
Grok matching multi-lines saving first and last value to separate fields Logstash	12	1885	March 22, 2021

Subsequently get only first line of multi-line grok

Related topics