Graylog multiline log processing

Hi ,

I am trying to process below log which contains multiline format using filebeat.

7/5/2019 7:05:00 AM==> System.Web.HttpException (0x80004005): A public action method 'Id' was not found on controller 'SmartData.EndUserPortal.Web.Controllers.ServiceRequestController'.
   at System.Web.Mvc.Controller.HandleUnknownAction(String actionName)
   at System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.<>c__DisplayClass285_0.<ExecuteStepImpl>b__0()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
   

GROK
SmartData: (?<timestamp>[0-9]+\/[0-9]+\/[0-9]+\s+[0-9]+\:[0-9]+\:[0-9]+\s+[A-P]{2})\=\=\> %{GREEDYDATA:Message}$

Pipeline rule:

rule “SmartData”
when
has_field(“message”)

then
let pattern = “%{SmartData}”;
let matches = grok(pattern: pattern, value: to_string($message.message));
set_fields(matches);
end

Its processing only single line log, How to parse the above multiline log using graylog. Need your help to fix this issue.

Same grok pattern/REGEX i used to parse the above multiline log ,it parsed as expected in logstash.

Thanks,
Jay’

the Grok implementation in Graylog does not allow multiline grok pattern…

you might want to +1 this issue

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.