-4

I am trying to parse, and analyse my logs with Logstash, and output them to elasticsearch. Logstash treats each line in the log file as a new log entry, but the problem is that one log entry could be in multiple lines. I want configure the filter to extract the useful data (date,thread,query...).

Jordan Stewart
  • 3,187
  • 3
  • 25
  • 37
MEGDICHE007
  • 21
  • 3
  • Possible duplicate of [How to process logstash multiline filter's message field?](https://stackoverflow.com/questions/22172879/how-to-process-logstash-multiline-filters-message-field) – Jordan Stewart Jul 07 '17 at 12:56

1 Answers1

3

You'll need to look at the multiline filter - http://logstash.net/docs/1.4.1/filters/multiline

I've done something similar with MariaDB logs which can be multiline - the regular expressions will be different but have a look at http://simonhanmer.co.uk/processing-mysql-mariadb-galera-logs-for-logstash/ for some ideas

OK, extracting the thread is fairly straightforward since it's delimited by [], but the query is a little more difficult. If it's always preceded by the line shown you could use something like this

input { 
    pipe {
      command => 'type C:\Users\MEGDICHE\Downloads\default.log'
     }
}

filter{
    multiline {
        pattern => "^%{MONTH} %{MONTHDAY}"
    negate  => true
    what    => "previous"
    }

    grok {
        match => [ 'message', "(?m)^%{MONTH} %{MONTHDAY}.*\[%{GREEDYDATA:thread}\]:%{GREEDYDATA:rest_of_message}" ]
    }

    if [rest_of_message] =~ /select/ {
        grok {
            match => [ 'message', '(?m).*\nThe query before.*\n%{GREEDYDATA:query}$' ]
        }
    }

    mutate {
        remove_field => [ 'rest_of_message']
    }
}

output { 
  elasticsearch { host => localhost }
  stdout { codec => rubydebug } 
 }
SimonH
  • 964
  • 6
  • 17
  • thank SimonH please do you have an idea on this case filter { multiline { type => "somefiletype" pattern => "\\$"/* this one i wana replace it with ":"*/ what => "next" } – MEGDICHE007 Mar 26 '15 at 16:40
  • in the example data above, would you expect the last two lines to be captured against the last line with a timestamp? It would be useful if you could give an example for what you would expect given the log entries above. – SimonH Mar 26 '15 at 16:44
  • yes because the last three lines are one log entry. i wanna extract the thread(example default-[DashBoard Thread] ) and the query ( select count(*) from epool) – MEGDICHE007 Mar 26 '15 at 16:49
  • ok, I've amended the answer I've gave earlier to include some possible code – SimonH Mar 26 '15 at 20:09