I am trying to write groke rule for certain logs and can't seem to find what should be done in cases where we are having more than one line in a single log Following is the screenshot of the logs I have: screenshot of logs In the attatched image, the green ones (that is the shorter logs),get parsed properly, while the longer ones (indicated by the red box,which has got more than one line),gets parsed erroneously.
multiline:
Here is the multiline,which I have written,
multiline
{
type => "sftp"
pattern => "^[^\[2015]"
what => "previous"
}
And this is the parsed output(erroneous) for the same :
[2015-10-03 23:32:00.603] ALL Config.logConfiguration() client configuration:]\n localPortCollection=[null]\n minThreadPoolSize=[3]\n maxThreadPoolSize=[6]\n perimeterServerName=[BSC_NODE2_OBD_PS3]\n.
As you can see, this above output has "\n" with it,and the grok rules i have written is not accepted because of the "\n" in the parent logs.
I tried "\n" while writing the grok rules.
filter {
if [type] == "sftp"{
multiline {
pattern => "^\[%{TIMESTAMP_ISO8601"
negate => true
what => previous
}
grok {
match => {
message => "\[%{TIMESTAMP_ISO8601:timestamp}\]%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:message}"
}
}
}
}
use negate in multi line and check http://grokdebug.herokuapp.com/patterns# for date pattern available.
Also use date filter.