Multiline codec does not send latest message of a logfile
Description
discovered while testing
testing discovered
Gliffy Diagrams
Activity
Show:
Aaron Mildenstein February 6, 2015 at 6:13 PM
This is resolved now with periodic flushing.
Bernd Eckenfels May 8, 2014 at 1:48 AM
Still an issue for 1.4.1
Cyril DUBUS April 8, 2014 at 2:35 PM
Hi !
I confirm this issue whith logstash 1.4.0.
This is a very annoying behaviour, it looks almost broken to me when you have only a few events per day.
Tian Chen April 1, 2014 at 9:22 PM
As far as I know this issue hasn't been solved, I'm trying to make some changes to the muiltline filter to fix it myself. Will post my results here as well as https://logstash.jira.com/browse/LOGSTASH-271
Oliver Fischer April 1, 2014 at 6:11 PM
I prepared an example with Logstash 1.4.0 to demonstrate the problem of the lost last line.
The example is available at https://bitbucket.org/obfischer/bugreport-logstash-multiline-filter/
The readme.md of the repository describes who to run the example.
The multiline code of Logstash is not able to send the latest multiline message of a logfile until a new message has been written.
I am shipping the logmessages of a GlassFish server via Logstash to ElasticSearch. To process the logfile of GlassFish I use the following input configuration.
Using this configuration I always miss the last written log message.
For example if I shutdown the GlassFish the last two messages in the logfile are
The latest log message in my ElasticSearch cluster is
According to the multiline codec should be able to flush the current message if the logfile is idle.
Please fix this! It is very annoying since it gives you the feeling to miss or to loose information.