Search code examples
elasticsearchlogstashelastic-stacklogstash-grok

Grok Pattern for multiline is not working

        1st|                    2nd|3rd        |4th         |5th                 |6th              |7th          |8th   |2012.07.12 05:31:04      |10th  |ProductDir: C:\samplefiles\test\storage\4.0 (LF)
C:\samplefiles\test\storage\5.0 (LF)
SampleDir: (LF)

Note: LF -> Line Feed is getting appended

I have tried the following options.. Nothing seems to be working

  1. match => [ "message", "(?m)....
  2. (?<message>(.|\r|\n)*)
  3. Greedydata is also not working as its not considering new line.
  4. mutate {gsub => ["message", "\n", "LINE_BREAK"] }
  5. codec => multiline { pattern => "^\s" negate => true what => previous }
Solution

  • The below one worked for me.

    codec => multiline{
    pattern => "^\s*\d{1,}\|"
    negate => "true"
    what => "previous"
}