Test multiline codec

Hello,

This is my configuration file :

input {
  file {
    path => "/usr/share/logstash/testmultiline.log"
    start_position => "beginning"
    #type => "log"
    sincedb_path => "/dev/null"
    codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601}"
      what => "previous"
    }
  }
}
output{
    stdout {codec => rubydebug }
}

The log file look like this :

2018-12-13T11:46:13.654+0000 Regulatory [INFO] Transaction : VALIDATE,FT18260HNC8R1bbcffrlnrt21x8awmxhtjfdz,FT18260HNC8R,100002506,13/12/2018,13/12/2018T11:46:13.243+0000,null,Payment Order,Date not a working day
2018-12-13T11:41:44.846+0000 Regulatory [INFO] Transaction : VALIDATE,qf16ft787bif1xs1iuoqihwi9,null,100002506,13/12/2018,13/12/2018T11:41:42.447+0000,null,Payment Order,Date not a working day
2018-12-13T12:07:41.644+0000 Regulatory [INFO] Transaction : VALIDATE,007069643021retfed8ar2w4ugvgz1n9xsuz,0070696430.2,100002506,13/12/2018,13/12/2018T12:07:39.905+0000,null,Payment Order,None
2018-12-13T13:13:22.449+0000 Regulatory [INFO] Transaction : VALIDATE,0004961017bb48fydx3gvq1dopa7tujzoya,0004961017,100002506,13/12/2018,13/12/2018T13:13:21.700+0000,null,Payment Order,Invalid end date

My goal is to specify that any line which begin with a timestamp have to belong to the previous line. The codec rubydebug doesn't show me anything, I don't know if the multiline works or not. How can I print my event? Is my event null that's why the codec doesn't show anything?

Thank you.

I am not sure I understand what you are trying to achieve. What output would you expect based on the sample data you provided where all lines have the same structure?

That multiline pattern cannot emit an event until it finds a line that does not start with the pattern. So if you append a line that does not start with the pattern it should work. Alternatively, use the auto_flush_interval option.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.