How do I match a newline in grok/logstash?
I have a remote machine that combines multiline events and sends them across the lumberjack protocol.
What comes in is something that looks like this:
-
All
GREEDYDATAis is.*, but.doesn't match newline, so you can replace%{GREEDYDATA:message}with(?<message>(.|\r|\n)*)and get it to be truly greedy.讨论(0) -
My final grok for Vertica log using (?m) and [^\n]+
match => ["message","(?m)%{TIMESTAMP_ISO8601:ClientTimestamp}%{SPACE}(%{DATA:Action}:)?(%{DATA:ThreadID} )?(\[%{DATA:Module}\] )?(\<%{DATA:Level}\> )?(\[%{DATA:SubAction}\] )?(@%{DATA:Nodename}:)?( (?<Session>(\{.*?\} )?.*?/.*?): )?(?<message>[^\n]+)((\n)?(\t)?(?<StackTrace>[^\n]+))?"]Thanks to asperla
https://github.com/elastic/logstash/issues/2282
讨论(0) -
Adding the regex flag to the beginning allows for matching newlines:
match => [ "message", "(?m)%{TIMESTA...讨论(0)
加载中...
- 热议问题