I was playing around with logstash and wanted to try the multiline filter. I'm trying to parse a single file which can has multiline content in it. I'm using the multiline filter but it does not work the way it should. I have the following content in the file.
2014-10-11 10:10:10 xxxx yyyy
2013-09-12 11:11:11 aaaa bbbb
2012-01-01 10:10:10 cccc dddd
2011-10-12 01:01:01 mmmm Nan
Grok-pattern used
CUSTOMTIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}
I'm using the following config file in logstash
input {
file{
path => "/Users/akshayanilkapoor/Kumo/logs/akshay"
codec => multiline {
pattern => "^.*"
what => "previous"
negate => true
}
}
stdin{
codec => multiline {
pattern => "^%{CUSTOMTIME}"
what => "previous"
negate => true
}
}
}
filter {
grok {
patterns_dir => "./patterns"
match => ["message", "%{CUSTOMTIME:date1} %{GREEDYDATA:lumber-type} %{GREEDYDATA:lumber-desc}"]
}
}
output {
stdout {codec => rubydebug}
}
When i copy paste the data shown above from the stdin, it works as expected i.e. it displays the output with the message containing all the the events in the file. When i pass the same with the file it outputs a different message for every log entry i.e. I get 4 different log events (which is not what i desire)
Note: I have tried using the following options along with the multiline,
I think there is a very silly mistake that I have been making or i'm understanding the filter incorrectly to be implemented. Any help would be much appreciated!
I misunderstood the negate option of the multiline codec incorrectly as i expected :p This is the config file I used for the the config to work incase it helps someone.
input {
file{
path => "/Users/akshayanilkapoor/Kumo/logs/akshay"
codec => multiline {
pattern => "^[0-9]"
what => "previous"
#negate => true
}
}
stdin{
codec => multiline {
pattern => "^[a-z]"
what => "previous"
negate => "true"
}
}
}
filter {
grok {
match => ["message", "(?m)%{RSMROLLBACKTIME:date1} %{GREEDYDATA:lumber-type} %{GREEDYDATA:lumber-desc}"]
}
}
output {
stdout {codec => rubydebug}
}