Hey Shelin,
Thank you. 
Here is my complete settings to index multiline input. Please check.
My input:
Wed Dec 13 06:10:22 2017 390603 : : The Assignment Information is not valid.
Please use the menus provided on the ‘Assignee Company’, ‘Assignee Organization’ and ‘Assignee Group’ or the type ahead return function on the ‘Assignee Group’ field to select this information. (ARERR 10000)
My grok:
(?%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})\s*(%{NUMBER:message_id})\s(?<error_msg>(?m:.*))
Screenshot from online grok constructor:
output:
The output clearly shows that the logs are parsed properly.
Settings graylog:
1)Collector input settings: (done as you suggested earlier)
2)output in graylog messages.
From the graylog output we can see that the second line of the log is not included under error_msg.
But it is taking only the data from the first line.
From our input log:
Wed Dec 13 06:10:22 2017 390603 : : The Assignment Information is not valid.
Please use the menus provided on the ‘Assignee Company’, ‘Assignee Organization’ and ‘Assignee Group’ or the type ahead return function on the ‘Assignee Group’ field to select this information. (ARERR 10000)
Ideally it should show, error_msg :
: : The Assignment Information is not valid.
Please use the menus provided on the ‘Assignee Company’, ‘Assignee Organization’ and ‘Assignee Group’ or the type ahead return function on the ‘Assignee Group’ field to select this information. (ARERR 10000)
But its taking only the first line:
: : The Assignment Information is not valid.
Please help me to resolve this .
Thanks in advance.
Regards,
Jayakumar