Logstash: Multiline: message stays in buffer until new log entry

Created on 27 Jun 2014  路  7Comments  路  Source: elastic/logstash

Hello,

Currently when using the multiline codec a message will only be outputted when Logstash is able to determine the end of the log entry. The end of a multiline log message can only be determined when a new one comes in. When watching a log that doesn't receive many log entries this is annoying. It would be nice if it was possible to set somekind of timeout on the multiline functionality so the the buffer is outputted before the next log message comes in.

picture wvdongen

Most helpful comment

In case anyone else finds this and is trying to get the multiline codec to output the last log record that it has in its buffer after a timeout, the parameter you want is auto_flush_interval which was introduced with Logstash 2.2.

The value is specified in seconds you want to wait before the codec flushes whatever it has into a new event.

Here is an example from a windows based logstash configuration:

input {
    file {
        path => "$LogstashFilePathValue"
        type => "DemandwareError"
        tags => "$EnvironmentName"
        start_position => "beginning"
        sincedb_path => "NUL"
        codec => multiline {
            pattern => "\A\[%{TIMESTAMP_ISO8601:demandware_timestamp} GMT\]"
            negate => true
            what => previous
            auto_flush_interval => 10
        }
    }
}
picture ChrisMagnuson on 5 Apr 2016
👍53

All 7 comments

This seems to work if you use multiline as an input codec.

runningman84 picture runningman84 on 27 Jun 2014

What do you mean? The above behavior happens when using the multiline input codec.

wvdongen picture wvdongen on 27 Jun 2014

This issue has been lurking over at Jira for quite some time now.. https://logstash.jira.com/browse/LOGSTASH-202

I feel tempted to start implementing something along the lines of @jordansissel's suggestion on 03/Dec/12 12:30 PM in Jira.. :)

xkr47 picture xkr47 on 6 Aug 2014

Perhaps #1545 is related too?

xkr47 picture xkr47 on 6 Aug 2014

yes, #1545 will solve the filter flushing and currently there is no timeout based flushing in the codecs.

colinsurprenant picture colinsurprenant on 6 Aug 2014

Closing this. #1545 is merged in

suyograo picture suyograo on 22 Jan 2015

In case anyone else finds this and is trying to get the multiline codec to output the last log record that it has in its buffer after a timeout, the parameter you want is auto_flush_interval which was introduced with Logstash 2.2.

The value is specified in seconds you want to wait before the codec flushes whatever it has into a new event.

Here is an example from a windows based logstash configuration:

input {
    file {
        path => "$LogstashFilePathValue"
        type => "DemandwareError"
        tags => "$EnvironmentName"
        start_position => "beginning"
        sincedb_path => "NUL"
        codec => multiline {
            pattern => "\A\[%{TIMESTAMP_ISO8601:demandware_timestamp} GMT\]"
            negate => true
            what => previous
            auto_flush_interval => 10
        }
    }
}
ChrisMagnuson picture ChrisMagnuson on 5 Apr 2016
👍53
Was this page helpful?
0 / 5 - 0 ratings

Related issues

marcinpm picture marcinpm  路  3Comments
ashangit picture ashangit  路  4Comments
max-wittig picture max-wittig  路  4Comments
dorj1234 picture dorj1234  路  3Comments
dvic picture dvic  路  3Comments