Multiline pattern for logstash

Question

I've searched SO and of course the searchengine of choice but found no valid solution.

I try to parse a multiline logfile with logstash without any success.

The logfile looks like:

appl.log

2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails java.lang.NullPointerException at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere 2014-02-31 11:06:55,268 - WARN main com.applicationname.commons.shop.OrderDetails java.lang.NullPointerException at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere at sometexthere sometexthere

AFAIK the lines a starting with "\t...at "

My current (non working version) conf for logstash looks like:

logstash.conf

input =>

input {
    file {
        path => "/var/log/appl.log"
        type => "appl"
        codec => multiline {
            negate => true
            pattern => "^\s"
            what => "previous"
        }
    }
}

filter =>

filter {
    if [type] == "appl" {
        grok {
            add_tag => [ "groked" ]
            match => ["message", ".*"]
            remove_tag => ["_grokparsefailure"]
        }
    }
}

Any lead into the right direction for a working multiline filter is welcome.

Answer 1

Try this :

input =>

input {
  file {
    path => "/var/log/appl.log"
    type => "appl"
    codec => multiline {
        pattern => "^%{TIMESTAMP_ISO8601} "
        negate => true
        what => "previous"
    }
  }
}

filter =>

filter {
  if [type] == "appl" {
    grok {
        add_tag => [ "groked" ]
        match => ["message", ".*"]
        remove_tag => ["_grokparsefailure"]
    }
  }
}