Instead of Single log message it displays multiple messages

ajay · January 22, 2019, 4:47pm

Hello Team,

In our application, every message start with “2019-01-22 16:31:39+0000” as shown below

“2019-01-22 16:31:39+0000 [index:query-api] INFO [http-nio-8080-exec-10] [tId:418a017d-ce78-4a76-b2bf-b293ebc6f79f] [rId:6a128d76-3ecc-464b-8c14-d2344d6ca565] [tt:DEMO]{aId=} com.gainsight.service.PostgresAndRedshiftQueryAPIServiceImpl:HAPOSTGRES query built: SELECT t1.accountName AS “t1_AccountName”, t1.recipientEmailAddress AS “t1_RecipientEmailAddress”, t1.sfdcAccountId AS “t1_SfdcAccountId”, t1.gsid AS “t1_Gsid”, t1.participantId AS “t1_ParticipantId”, t1.participantState AS “t1_ParticipantState”, t1.participantSourceName AS “t1_ParticipantSourceName”, t1.failureReasons AS “t1_FailureReasons”, t1.contextAttributeString1 AS “t1_ContextAttributeString1”, t1.contextAttributeString2 AS “t1_ContextAttributeString2”
LIMIT 1000”

But instead of the single message, it displays as three messages in Graylog as shown in the below fig

Pls help me.

jan · January 23, 2019, 6:23am

How did you ingest the messages to Graylog?

ajay · January 23, 2019, 8:46am

Hello Jan Doberstein,

At The Client Side:
Install “graylog-sidecar-1.0.0-1.beta.2.x86_64.rpm” and configured “/etc/graylog/sidecar/sidecar.yml” the server details, Node Name and API Token.

At Server side:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: {sidecar.nodeName} fields.gl2_source_collector: {sidecar.nodeId}

filebeat.inputs:

input_type: log
paths:
- /data/autoqa01/query-api/logs/*query-api.log
  type: log
  output.logstash:
  hosts: [“http://{domain}:5044”]
  path:
  data: /var/cache/graylog-sidecar/filebeat/data
  logs: /var/log/graylog-sidecar

jan · January 23, 2019, 12:16pm

so you use sidecar and filebeat as collector to send messages.

Please read how to read and send multi line messages with filebeat: https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html

ajay · January 23, 2019, 5:53pm

Thank you Jan Doberstein, Working fine with below settings
multiline.pattern: ‘^[0-9]{4}-[0-9]{2}-[0-9]{2}’
multiline.negate: true
multiline.match: after

system · February 6, 2019, 5:53pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Alert with multiple messages in one mail Graylog Central (peer support)	1	852	November 21, 2019
Graylog 4.1.5 - Notifications - One Mail per Event - No Backlog Graylog Central (peer support)	8	562	November 3, 2021
Two messages from the stream Graylog Central (peer support)	1	325	February 18, 2020
Working with multiple messages Graylog Central (peer support)	5	2423	October 13, 2017
Graylog Notification - Message Condition Graylog Central (peer support) pipeline-rules	5	1163	January 20, 2020

Instead of Single log message it displays multiple messages

Needed for Graylog

Related Topics