Multiline in Logstash with timestamp in each line

Question

I have a multiline log written in a file as follows:

INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 | ERROR [appHTTP50] [appEmployeeAuthenticationProvider] Can't login with username 'username'
INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 | org.framework.security.authentication.BadCredentialsException: Bad credentials
INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 |     at de.app.platform.security.CoreAuthenticationProvider.authenticate(CoreAuthenticationProvider.java:133)
INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 |     at ca.canadiantire.security.appEmployeeAuthenticationProvider.authenticate(appEmployeeAuthenticationProvider.java:39)
INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 |     at org.framework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
INFO   | jvm 1    | main    | 2014/11/06 13:41:30.112 |     at org.framework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)

However, line below is in each line of the trace on the begginning:

INFO | jvm 1 | main | 2014/11/06 13:41:30.112 |

Does anyone know how to leave this line on the beggining near "ERROR" and drop this part of the line in the trace with grok and get full trace as a single message in Logstash? Any other solutions are welcome.

Answer 1

I would think gsub{} is the answer. Either have a conditional stanza that would remove the preface from the subsequent lines, e.g.:

if [message] !~ /\| ERROR / {
    mutate {
        gsub => [ "message", "^.* \| ", "" ]
    }
}

which, if it's "greedy" might leave you with a line like this:

org.framework.security.authentication.BadCredentialsException: Bad credentials

which could then be combined with a subsequent multiline{} filter.

Obviously, you'd need to make both regexps generic enough to handle each log level that you're expecting.