stackoom
  简体   繁体   中英

Logstash grok multiline message

 原文  2014-06-19 13:36:45       regex/ logstash

Question

My logs are formatted like this: 

2014-06-19 02:26:05,556 INFO ok
2014-06-19 02:27:05,556 ERROR
 message:space exception
         at line 85
 solution:increase space
          remove files

There are 2 types of events:

-log on one line like the first

-log on multiple line like the second

I am able to process the one line event, but I am not able to process the second type, where I would like to stock the message in one variable and the solution in another.

This is my config: 

input {
 file {
    path => ["logs/*"]
    start_position => "beginning"
    codec => multiline {
                   pattern => "^%{TIMESTAMP_ISO8601} "
                   negate => true
                   what => previous
    }       
 }
}
filter {
 #parsing of one line event
 grok {
 patterns_dir => "./patterns"
 match=>["message","%{TIMESTAMP_ISO8601:timestamp} %{WORD:level} ok"]
 }
#the parsing fail, so we assumed we are in multiline events, now I process them and I am stuck when I am getting to the new line.
if "_grokparsefailure" in [tags] {
 grok {
 patterns_dir => "./patterns"
 match=>["message","%{TIMESTAMP_ISO8601:timestamp} %{WORD:level}\r\n"]
 }
}

}

So this is what I have done, and I would like to have in my console output the following: 

{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"level"=>"INFO"
},
{
"@timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"level"=>"ERROR"
"message" => "space exception at line 85"
"solution"=>"increase space remove files"
}

Concretely, I would like to get all the expression between two words ("message" and "solution" for the message variable, "solution" and the end of event for the solution variable), and that no matter if the expression is on one or multiple lines.

Thanks in advance

2 answers

solution1
 22  2015-01-30 08:25:10

As for multiline grok, it's best to use special flag for pattern string: 

grok {
    match => ["message", "(?m)%{SYSLOG5424LINE}"]
}

solution2
 12  2014-08-11 14:23:51

It looks like you have two issues:

You need to correctly combine your multilines: 

filter
{
    multiline
   {
        pattern => "^ "
        what => "previous"
   }
}

This will combine any line that begins with a space into the previous line. You may end up having to use a "next" instead of a "previous".

Replace Newlines

I don't believe that grok matches across newlines.

I got around this by doing the following in your filter section. This should go before the grok section: 

mutate
{
    gsub => ["message", "\n", "LINE_BREAK"]
}

This allowed me to grok multilines as one big line rather than matching only till the "\\n".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Logstash grok pattern to filter custom Log message Logstash grok match pattern for message field LogStash Grok regex backreferences How to grok this input with logstash? Logstash grok & regex filter Logstash grok filter regex logstash / grok pattern file Use of ?> in Logstash Grok patterns Logstash Grok pattern with double quotes Logstash - Grok - Exception on multiple lines
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM