Logstash 1.4.1 multiline codec not working -
i'm trying parse multiline data log file. have tried multiline codec , multiline filter. doesn't work me.
log data
info 2014-06-26 12:34:42,881 [4] [handleschedulerequests] request entity: user name : user dlr : 04 text : string interface type : 1 sender : sdr debug 2014-06-26 12:34:43,381 [4] [handleschedulerequests] entitis : 1 system.exception
and configuration file
input { file { type => "cs-bulk" path => [ "/logs/bulk/*.*" ] start_position => "beginning" sincedb_path => "/logstash-1.4.1/bulk.sincedb" codec => multiline { pattern => "^%{level4net}" => "previous" negate => true } } } output { stdout { codec => rubydebug } if [type] == "cs-bulk" { elasticsearch { host => localhost index => "cs-bulk" } } } filter { if [type] == "cs-bulk" { grok { match => { "message" => "%{level4net:level} %{timestamp_iso8601:time} %{thread:thread} %{logger:method} %{message:message}" } overwrite => ["message"] } } }
and when logstash parsing multiline part first line, , tag multiline. the other lines not parsed!
{ "@timestamp" => "2014-06-27t16:27:21.678z", "message" => "request entity:", "@version" => "1", "tags" => [ [0] "multiline" ], "type" => "cs-bulk", "host" => "lab", "path" => "/logs/bulk/22.log", "level" => "info", "time" => "2014-06-26 12:34:42,881", "thread" => "[4]", "method" => "[handleschedulerequests]" }
place (?m)
@ beginning of grok pattern. allow regex not stop @ \n
.
Comments
Post a Comment