How to extend a field with a multiline message

Question

I have a logstash conf like so:

input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/path/to/mycert"
    ssl_key => "/path/to/mykey"
  }
}

filter {
  if [type] == "logs" {
    if [message] =~ /^\d\d\d\d/ {
      grok {
        match        => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:other_field} %{GREEDYDATA:content}" }
        add_field    => [ "received_at", "%{@timestamp}" ]
        add_field    => [ "received_from", "%{host}" ]
      }
    }
    multiline {
      pattern => "^\d\d\d\d"
      what    => "previous"
      negate  => true
    }
  }
}

output {
  elasticsearch { host => localhost }
}

Here's a sample log:

2015-04-09T04:56:37.548Z OtherField Send message:
Keepalive {
  Type: keepalive
  key: ABCDE
  time Thu Apr 09 00:56:37 EDT 2015
}

The content field ends up with the string "Send message:\n" and nothing else. We want the content field to extend and contain: "Send message:\nKeepalive {\n Type: keepalive\n key: ABCDE\n time Thu Apr 09 00:56:37 EDT 2015\n}"

I've tried using add_field, but I can't even convince it to add a simple field (ie, "multilinemsg", "true") let alone extend the content field.

Any help would be appreciated!

Can you give an example of your log file and what are you trying to achieve? -- Asaf. — Asaf Yigal, Aug 24 '15 at 06:26
Sorry ... I missed your comment for some reason. Just added the requested info. — goofdad, Sep 03 '15 at 20:39

How to extend a field with a multiline message

0 Answers0