I followed logstash documentation about multiline and tried to experiment it with a basic stdin & stdout configuration, but it does not seem to work. The tag "multiline" is added on the next messages, but they end as separate entries with a "_grokparsefailure" tag.
What am I missing?
Edit: as a reference I was using a stacktrace multiline filter.
Ok that one was a bit tricky, so I thought it might be appreciated if I gave here the solution. I found it in this post: multiline triggers only if the next lines come quickly (within 1~2 second). So when experimenting, if you take your time copying and pasting each line you will think it doesn't work while it actually does.
Please follow the example mentioned in the blog. I successfully implemented multiline with this approach.
For more clarification, please provide your config along with sample input message.
This is my configuration. I use the example from Logstash multiline
input {
stdin {
}
}
filter {
multiline {
# Grok pattern names are valid! :)
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
}
output {
stdout {debug => true}
}
With this logs, The multiline function is work on me.
2014-02-24 10:00:01 abcde
1qaz
2014-01-01 11:11:11
2wsx
I enter the logs one by one and wait for 1 minute between each line. So, I didn't have meet your problem. Please verify your configuration.
