logstash multiline codec not working as expected #556
Description
Below is the config file
input {
file {
path => ["Records.log"]
sincedb_path => "/dev/null"
start_position => "beginning"
codec => multiline {
pattern => "^[\d]{4}-[\d]{2}-[\d]{2} "
negate => true
what => "previous"
}
}
}
filter {
mutate {
gsub => ['message', "\n", " "]
gsub => ['message', "\t", " "]
}
grok {
patterns_dir => "patterns"
match => "%{START_TIME:START_TIME:date} %{LOGLEVEL1:loglevel1}"
}
date {
match => [ "START_TIME" , "yyyy-MM-dd HH:mm:ss.SSS" ]
}
if "_grokparsefailure" in [tags] { drop {} }
}
output {
stdout {
codec => rubydebug
}
}
Below are the patterns used
YEAR (\d){4}
MONTHNUM (\d){2}
MONTHDAY (\d){2}
DATE %{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}
HOUR (\d){2}
MINUTE (\d){2}
SECOND (\d){2}
MILLISECOND (\d){3}
START_TIME %{DATE} %{TIMESTAMP}
LOGLEVEL1 ([!-Ó¶a-z0-9$.+!'(){},~:;=@#&%-?/"//<>|\t ]_)+
Below are the records I'm trying to load
2016-03-18 00:00:00.000 ABC DEF GHI
2016-03-18 00:00:00.000
THIS IS A MULTILINE
2016-03-18 00:00:00.000 THIS IS NOT A MULTILINE
2016-03-18 00:00:00.000 ABC DEF GHI
But I'm not able to match the multiline data. Could anyone please help with this?