How to process multilines in logstash with multiple worker threads?

2
votes

I would like to process mulitline logs with logstash using multiple worker threads for performance but multiline filter doesn't work: - https://github.com/elastic/logstash/pull/1591 - https://github.com/elastic/logstash/issues/1590

solutions for now:

Clearly none of these is nice, so is there anyone who has a decent solution for this?

4
regexmultithreadinglogstashmultilinelogstash-forwarder
The multiline filter's stream_identity parameter doesn't help? - Magnus Bäck
Hi @MagnusBäck, unfortunately multiline filter doesn't work with multiple worker threads as it is, so I can't use this parameter. I asked and estimated time for fixing it but still waiting for the response. (github.com/elastic/logstash/pull/1591#issuecomment-81541730) - Balazs Varhegyi
You found the right answer ("you can't"). You might consider running two logstash indexers, one for multiline and one (multiple workers) for everything else. - Alain Collins
Thank you @AlainCollins for the suggestion, I got similar answer in github site too: github.com/elastic/logstash/pull/1591#issuecomment-81746591 - Balazs Varhegyi
@BalazsVarhegyi have you found a solution for this? I am running in to this exact problem right now. - jmreicha

4 Answers

2
votes

An alternative would be using log-courier instead of logstash-forwarder. It performs the multiline prior sending it to logstash:

https://github.com/driskell/log-courier/blob/master/docs/codecs/Multiline.md

There is a request to support this also in logstash-forwarder:

https://github.com/elastic/logstash-forwarder/issues/309

I'm curious, how did you do to send multiline logs to a specific single threaded logstash and the rest to the others?

2
votes

There's another alternative:

  1. Do your multiline processing directly in your inputs, using the multiline codec. Obviously this bit will be single-threaded per input.

  2. Then use the rest of your filters normally. This will be multi-threaded, per filter worker, if -w <threads> was provided.

The Logstash Pipeline's Thread Model is documented as follows:

The thread model in Logstash is currently:

input threads | filter worker threads | output worker
0
votes

I ended up using a separete logstash to process multilines. It is configured to use one worker thread and uses the multiline filter. If the performance is still not okay, you can add more of logstash that uses just one worker thread. Then when someone fixes it we will remove this extra logstash instance.

-2
votes

Try something like,

 multiline {
        pattern => "(Stack trace:)|(^#.+)|(^\"\")|(  thrown+)|(^\s)"
        what    => "previous"
      }

I'm using it for Php Fatal errors.