Several use cases generate events that span multiple lines of text. In order to correctly handle these multiline events,Logstash needs to know how to tell which lines are part of a single event.
Multiline event processing is complex and relies on proper event ordering. The best way to guarantee ordered logprocessing is to implement the processing as early in the pipeline as possible.
The multiline codec is the preferred tool for handling multiline eventsin the Logstash pipeline. The multiline codec merges lines from a single input usinga simple set of rules.
If you are using a Logstash input plugin that supports multiple hosts, such asthe beats input plugin, you should not use themultiline codec to handle multiline events. Doing so may result in themixing of streams and corrupted event data. In this situation, you need to handle multilineevents before sending the event data to Logstash.
The most important aspects of configuring the multiline codec are the following:
- The
patternoption specifies a regular expression. Lines that match the specified regular expression are consideredeither continuations of a previous line or the start of a new multiline event. You can usegrok regular expression templates with this configuration option. - The
whatoption takes two values:previousornext. Thepreviousvalue specifies that lines that match thevalue in thepatternoption are part of the previous line. Thenextvalue specifies that lines that match the valuein thepatternoption are part of the following line.* Thenegateoption applies the multiline codec to lines thatdo not match the regular expression specified in thepatternoption.
See the full documentation for the multiline codec plugin for more informationon configuration options.
The examples in this section cover the following use cases:
- Combining a Java stack trace into a single event
- Combining C-style line continuations into a single event
- Combining multiple lines from time-stamped events
Java stack traces consist of multiple lines, with each line after the initial line beginning with whitespace, as inthis example:
Exception in thread "main" java.lang.NullPointerException at com.example.myproject.Book.getTitle(Book.java:16) at com.example.myproject.Author.getBookTitles(Author.java:25) at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
To consolidate these lines into a single event in Logstash, use the following configuration for the multiline codec:
input { stdin { codec => multiline { pattern => "^\s" what => "previous" } }}
This configuration merges any line that begins with whitespace up to the previous line.
Several programming languages use the \ character at the end of a line to denote that the line continues, as in thisexample:
printf ("%10.10ld \t %10.10ld \t %s\ %f", w, x, y, z );
To consolidate these lines into a single event in Logstash, use the following configuration for the multiline codec:
input { stdin { codec => multiline { pattern => "\\$" what => "next" } }}
This configuration merges any line that ends with the \ character with the following line.
Activity logs from services such as Elasticsearch typically begin with a timestamp, followed by information on thespecific activity, as in this example:
[2015-08-24 11:49:14,389][INFO ][env ] [Letha] using [1] data paths, mounts [[/(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
To consolidate these lines into a single event in Logstash, use the following configuration for the multiline codec:
input { file { path => "/var/log/someapp.log" codec => multiline { pattern => "^%{TIMESTAMP_ISO8601} " negate => true what => previous } }}
This configuration uses the negate option to specify that any line that does not begin with a timestamp belongs tothe previous line.