we have an active Loglevel Extractor placed on one of our Inputs.
It works pretty well for standard logs.
We also run Graylog sidecar and configured there a handling for Multiline messages.
The Pattern / regex expression ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.{4} matches the logdate and combines all logs in e.g. a Java Stacktrace into one Event. This also works pretty well.
The only thing that does not work is the both settings combined.
If we receive a multiline log, the Loglevel will not been extracted.
Does someone has any idea on how we can manage this?
thank you very much for your answer.
Our merging of multiline logs works, this is not the issue.
The problem is that if we receive an multiline log, the Loglevel Extractor placed on the Input does not work.
If we receive a “normal” log without multiline on the same Input, the Extractor works.
BR,
Steffen
I found the issue. In our extractor we only extract the Loglevels (INFO|DEBUG|WARN|TRACE).
If we receive an Multiline log ie a Java Stacktrace it shows up as ERROR.
So I only need to add this to our Extractor that’s all.
Sometimes it’s the little things that make the difference…
