Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Multiline filter makes @timestamp and message become arrays

Description

Hi,

After upgrading from 1.3.3 to 1.4.0 the multiline filter transforms @timestamp and message into arrays. For example I have this two-lines log entry:

Mar 24, 2014 12:51:44 PM org.apache.cxf.blah.ReflectionServiceFactoryBean buildServiceFromClass INFO: Creating Service {http://user.core.blih/}UserServiceService from class bluh.ws.core.user.UserService

My multiline configuration is

multiline { patterns_dir => ['/opt/squid/logs/etc/patterns'] pattern => "^%{CATALINA_DATESTAMP}" what => "previous" negate => "true" }

The json representation of the log becomes:

{ "tags": [ "multiline" ], "path": "/var/log/test_java.log", "host": "test", "@timestamp": [ "2014-03-24T17:01:48.865+01:00", "2014-03-24T17:01:48.867+01:00" ], "@version": "1", "message": [ "Mar 24, 2014 12:51:44 PM org.apache.cxf.blah.ReflectionServiceFactoryBean buildServiceFromClass", "INFO: Creating Service {http://user.core.blih/}UserServiceService from class bluh.ws.core.user.UserService" ] }

Note that the multiline filter "works", but the message is not a string with "\n" like before. Is that a new feature ? How can we grok this message ? Thank you.

Gliffy Diagrams

Activity

Show:

Philippe Weber March 3, 2015 at 5:55 AM

Oliver Fischer April 15, 2014 at 12:47 PM

Fabien Baligand April 6, 2014 at 5:17 PM

I have exactly the same problem.
I have not this problem when using logstash 1.3.3.
This implies a blocking problem : the following filters are simply ignored (date, grok, ...)

Jan Gaedicke April 2, 2014 at 1:34 PM

I think this is a duplicate of https://logstash.jira.com/browse/LOGSTASH-1892

Jan Gaedicke April 2, 2014 at 1:08 PM

when using the elasticsearch-output this behaviour kills the logstash process.
I think this is critical to a lot of logstash users.

NoMethodError: undefined method `tv_sec' for #<Array:0x1c14ae29>
sprintf at /opt/logstash/lib/logstash/event.rb:223
gsub at org/jruby/RubyString.java:3041
sprintf at /opt/logstash/lib/logstash/event.rb:209
receive at /opt/logstash/lib/logstash/outputs/elasticsearch.rb:324
handle at /opt/logstash/lib/logstash/outputs/base.rb:86
initialize at (eval):537
call at org/jruby/RubyProc.java:271
output at /opt/logstash/lib/logstash/pipeline.rb:266
outputworker at /opt/logstash/lib/logstash/pipeline.rb:225
start_outputs at /opt/logstash/lib/logstash/pipeline.rb:152

Fixed

Details

Assignee

Reporter

Labels

Fix versions

Affects versions

Created March 25, 2014 at 9:54 AM
Updated March 3, 2015 at 5:55 AM
Resolved March 3, 2015 at 5:55 AM
Configure