CODEWITHSUNDEEP
elasticsearchmultilinelogstash
Aldian
Aldian

Reputation: 2622

Logstash multiline not grouping the messages

I followed logstash documentation about multiline and tried to experiment it with a basic stdin & stdout configuration, but it does not seem to work. The tag "multiline" is added on the next messages, but they end as separate entries with a "_grokparsefailure" tag.

What am I missing?

Edit: as a reference I was using a stacktrace multiline filter.

Upvotes: 1

Views: 1796

Answers (3)

Ban-Chuan Lim
Ban-Chuan Lim

Reputation: 7890

This is my configuration. I use the example from Logstash multiline 

input {
    stdin {
    }
}

filter {
    multiline {
       # Grok pattern names are valid! :)
       pattern => "^%{TIMESTAMP_ISO8601} "
       negate => true
       what => previous
    }
}


output {
    stdout {debug => true}
}

With this logs, The multiline function is work on me. 

2014-02-24 10:00:01  abcde
1qaz
2014-01-01 11:11:11
2wsx

I enter the logs one by one and wait for 1 minute between each line. So, I didn't have meet your problem. Please verify your configuration.

Upvotes: 0

Murthy
Murthy

Reputation: 387

Please follow the example mentioned in the blog. I successfully implemented multiline with this approach.

For more clarification, please provide your config along with sample input message.

Upvotes: 1

Aldian
Aldian

Reputation: 2622

Ok that one was a bit tricky, so I thought it might be appreciated if I gave here the solution. I found it in this post: multiline triggers only if the next lines come quickly (within 1~2 second). So when experimenting, if you take your time copying and pasting each line you will think it doesn't work while it actually does.

Upvotes: 1

Related Questions