GROK Pattern to Match New Line

ukchris · August 22, 2017, 2:22pm

My log files occasionally have multi-line messages in them, I have filebeat configured to bring them in without issue but I cannot for the life of me get a GROK pattern to accept the new line characters. In my most common case the log entry includes a SQL statement which, depending on how it was created may have newline characters.

When it’s all one line it’s fine as .* matches, what syntax can I use in a graylog regex/grok to accept carriage return / new line characters? I have tried most of the variations I can find online with no luck.

jochen · August 22, 2017, 2:32pm

ukchris · August 24, 2017, 12:58am

Thanks Jochen, as an aside do you think it’d be feasible to replace the new line characters with a pipeline rule or do they work in the same manner?

Original Quoted context has been removed as per policy

system · September 7, 2017, 12:58am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline log messages Graylog Central (peer support)	1	2885	June 16, 2017
Pipeline grok syntax Graylog Central (peer support)	4	5818	December 19, 2017
Number of lines in gralog messages section at once Graylog Tech Challenges	5	1055	October 1, 2021
Graylog Extractor - Sidecar Multiline Graylog Central (peer support) sidecar	5	1959	May 4, 2021
Graylog exclude option not working for my input Graylog Central (peer support)	6	993	March 22, 2018

GROK Pattern to Match New Line

Related topics