Telegraf: Feature request: Matching multiple lines
Comes from https://community.influxdata.com/t/match-multiple-lines-with-telegraf/2362
I would like to process logs like this:
F, [2017-09-14T01:51:38.273072 #77375] FATAL -- :
F, [2017-09-14T01:51:38.273170 #77375] FATAL -- : ActionController::RoutingError (No route matches [GET] "/rails_app"):
F, [2017-09-14T01:51:38.273226 #77375] FATAL -- :
F, [2017-09-14T01:51:38.273297 #77375] FATAL -- : actionpack (5.1.4) lib/action_dispatch/middleware/debug_exceptions.rb:63:in `call'
web-console (3.5.1) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.5.1) lib/web_console/middleware.rb:28:in `block in call'
web-console (3.5.1) lib/web_console/middleware.rb:18:in `catch'
web-console (3.5.1) lib/web_console/middleware.rb:18:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
railties (5.1.4) lib/rails/rack/logger.rb:36:in `call_app'
railties (5.1.4) lib/rails/rack/logger.rb:24:in `block in call'
activesupport (5.1.4) lib/active_support/tagged_logging.rb:69:in `block in tagged'
activesupport (5.1.4) lib/active_support/tagged_logging.rb:26:in `tagged'
...
I'm parsing with:
[inputs.logparser.grok]
patterns = ["%{CUSTOM_CORE_LOG}"]
custom_patterns = '''
CUSTOM_CORE_LOG ^[DFEWI], \[%{TIMESTAMP_ISO8601:ts:ts-"2006-01-02T15:04:05.000000"} #%{POSINT:pid:int}\]\s+%{DATA:loglevel:tag} (\-\- :)?\s*%{GREEDYDATA:message}$
'''
I hope to get error message and all stacktrace as one record
Paxa
All 13 comments
Here is how logstash allows this to be done, maybe we can add something similar.
https://www.elastic.co/guide/en/logstash/2.4/plugins-codecs-multiline.html
danielnelson
on 14 Sep 2017
Hi.
Seems that multi-line is not yet supported, right ? I'm just wandering how difficult is to add such feature ?
botzill
on 13 Nov 2017
Hi, I'm interested in implementing this feature but just wonder which plugin is right to add on. tail or logparser?
wingsof
on 4 Jul 2018
We are moving the grok parser out from the logparser input to be a standalone parser in https://github.com/influxdata/telegraf/pull/4332. This will allow the tail plugin to replace logparser so we should try to add it to the tail parser.
danielnelson
on 4 Jul 2018
I see that 4332 was merged, any updates on this ? @wingsof still interested in extending the plugin ?
the-noob
on 13 Nov 2018
@the-noob Hello, I have this feature implemented in our in-house version of telegraf and have a plan to contribute. But I'm in a tough situation with my project and I cannot say when can I do this. So, if this issue remains unimplemented until the end of this year (which is my project due date), I think I can make a PR at the moment.
wingsof
on 13 Nov 2018
What is the status of this feature? Is there any way to parse multiline logs ?
Thx!
boneq
on 24 Dec 2018
Hey @wingsof just happened to find this via Google. So glad you added this super useful feature already! It seems like you have everything ready so how do we make it possible for you to have the time to make the PR?
wpbullet
on 6 Feb 2019
I've implemented multiline processing in the tail input plugin: #5603
javicrespo
on 21 Mar 2019
Matching multiple lines isuue is solved in 1.12.6 release?
I cannot solve multiple lines log
[inputs.logparser.multiline]
xuqingyangjsti
on 25 Dec 2019
please help me
xuqingyangjsti
on 25 Dec 2019
@xuqingyangjsti This feature has been incorporated into a release yet. Keep an eye on the pull request for it to be marked "merged" and when this occurs we will add a milestone with the first version it can be used in.
danielnelson
on 26 Dec 2019
This is now supported in inputs.tail in and will be officially released in 1.16. Note that logparser is deprecated and the recommendation is to use inputs.tail.
ssoroka
on 7 Oct 2020
Related issues
chench00
·
3Comments
hluaces
·
3Comments
mrcheeky123
·
3Comments
Xiol
·
3Comments
veerendra2
·
3Comments
Most helpful comment
Here is how logstash allows this to be done, maybe we can add something similar.
https://www.elastic.co/guide/en/logstash/2.4/plugins-codecs-multiline.html