Graylog Collector Sidecar: Multiline support

Hi Guys!

During using graylog collector sidecar I met some issue which I’d like to solve. When I’m sending my logs from test.log file I get every single line as a new entry. However when I’m getting for example java Exception there is multiline stack trace. Sending it line by line is pointless so I started to figure out how can I split messages by some pattern. I noticed that every single log in my test.log is starting from date:
[2017-06-30 14:29:30,596] bla bla bla

I noticed also that sidecar Input is forced with multiline pattern - moreover, I have great pattern to my date: ^[([^]]*)]

However it doesn’t work at all. It doesn’t split every message but some of them. Do you have any idea what probably I’m doing wrong?

Thanks in advance, guys!

At least you probably need to quote the brackets: \[ \]

OK, I’ve got the solution. You were right @jtkarvo - patern was wrong, proper one is below:

^[([^]]*)]

However in edit section you need to mark “Enable multiline” and mark “Multiline pattern…” and set “after”. Rest is ok. After this when you got large java exception stack trace you will get it as one message. Brilliant

Have a nice day as I have!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.