发表新帖
发表新帖

Logstash grok multiline message

后端 未结
关注
2 1522
伪装坚强ぢ
伪装坚强ぢ 2020-12-30 00:13

My logs are formatted like this:

2014-06-19 02:26:05,556 INFO ok
2014-06-19 02:27:05,556 ERROR
 message:space exception
         at line 85
 solution:increas
相关标签:
2条回答
  • 生来不讨喜
    2020-12-30 00:32

    It looks like you have two issues:

    You need to correctly combine your multilines:

    filter
{
    multiline
   {
        pattern => "^ "
        what => "previous"
   }
}

    This will combine any line that begins with a space into the previous line. You may end up having to use a "next" instead of a "previous".

    Replace Newlines

    I don't believe that grok matches across newlines.

    I got around this by doing the following in your filter section. This should go before the grok section:

    mutate
{
    gsub => ["message", "\n", "LINE_BREAK"]
}

    This allowed me to grok multilines as one big line rather than matching only till the "\n".

    0 讨论(0)
  • 庸人自扰
    2020-12-30 00:45

    As for multiline grok, it's best to use special flag for pattern string:

    grok {
    match => ["message", "(?m)%{SYSLOG5424LINE}"]
}
    0 讨论(0)
 看不清?
提交回复
热议问题