Multiline filter with match creates duplicates in logstash

Question

I stuck this issue for last 2 days. I am using using logstash to receive logs from the forwarder.I am using multiline filter to match the logs and parse the logs using grok pattern.All are working fine. Except the last line of log.

multiline {
    patterns_dir => "/patterns"
    pattern => "^\[%{OBIEE_DATESTAMP}\]"
    negate => true 
    what => "previous"
    enable_flush => true
    stream_identity => "%{host}.%{type}"
}

if [type] == "nqcluster" {
    grok {
        patterns_dir => "/patterns"
        match => [ "message", "%{OBIEE_CC_LOG}" ]
    }   
}

After i have used enable_flush option, It takes the last line of log as well. But it produces duplicate tag values as follows.

"timestamp" => [
    [0] "2015-02-21T12:10:39.000+05:30",
    [1] "2015-02-21T12:10:39.000+05:30"
],
       "AppName" => [
    [0] "OracleBIClusterControllerComponent",
    [1] "OracleBIClusterControllerComponent"
],

Please help me to resolve this.

What version of logstash are you running? In 1.4, multiline flushing is not "production ready". — Alain Collins, Mar 06 '15 at 06:44
Yes i am using 1.4.2. So which version is suitable for multiline flushing. Or any other way to flush the message. B'coz i need live update of the logs. — user1677237, Mar 06 '15 at 07:18
If you have traffic in the logs, they'll flush by themselves. I believe that 1.5 (still beta?) includes a production-ready flush mechanism for multiline, — Alain Collins, Mar 06 '15 at 08:04
How to make a traffic. As i already told, i want live updates. Also can you please share the 1.5 logstash link. — user1677237, Mar 06 '15 at 08:43
Logstash downloads are available here: http://www.elasticsearch.org/overview/logstash/download/ — Alain Collins, Mar 06 '15 at 17:01
Thanks alain. I merged 1.4.2 and 1.5 and now its working fine. — user1677237, Mar 07 '15 at 10:09

Multiline filter with match creates duplicates in logstash

0 Answers0