Reputation: 1561
logstash multiline pattern to detect lines that should be aggregated
I would like to detect lines that does not contain date and time in the following format which should be aggregated to the previous line:
28.04.2017;15:13:30.276
So I created a custom grok pattern like that:
MLINE %{MONTHDAY}\.%{MONTH}\.%{YEAR};%{TIME}
And this is my multiline configuration:
codec => multiline {
pattern => "%{MLINE}"
negate => true
what => "previous"
}
What I expected is that if the log line coming to logstash does not contain %{MLINE}, then it should be aggregated to the previous line.
But this is not happening and I do not understand why. Basically every log line is considered to be aggregated, and logstash will soon end due to cache limit.
What I am doing wrong?
Upvotes: 2
Views: 242
Answers (1)
Reputation: 4089
The %{MONTH} pattern matches words such as Aug, Feb, September. You want the %{MONTHNUM} pattern.
The pattern you want is:
MLINE %{MONTHDAY}\.%{MONTHNUM}\.%{YEAR};%{TIME}
I tested this using the grok constructor which has a multiline tool.
Upvotes: 1
Related Questions
- How to process multiline log entry with logstash filter?
- How to process Logstash Multiline entry?
- Logstash Processing Multi Line records from file
- Logstash Aggregate filter, add information to next lines
- Unable to get the parse value out of multi-line logs in logstash
- Logstash will not process logs that span multiple lines
- How to make Logstash multiline filter merge lines based on some dynamic field value?
- Logstash - grok multiline
- Logstash grok multiline message
- Multiline pattern for logstash