Multiline messages in chainsaw

StackOverflow https://stackoverflow.com/questions/14368055

  •  16-01-2022
  •  | 
  •  

Question

I'm using chainsaw 2.1.0 snapshot from http://people.apache.org/~sdeboy/
I was able to set it up to parse a log file, but it always splits multiline messages into multiple one-line messages (including all the other fields into the first message)
How can I make it parse multiline messages correctly? Is there any workaround or alternative?

Edit: a few lines from the file:

[<proceed>(2)] INFO 2013-01-16 05:04:23,728 xmlstream.py:start_tls:740 ::: Negotiating TLS :::
[<proceed>(2)] INFO 2013-01-16 05:04:23,729 xmlstream.py:start_tls:741 ::: Using SSL version: 3 :::
[<proceed>(2)] DEBUG 2013-01-16 05:04:23,838 xmlstream.py:start_tls:809 ::: CERT: -----BEGIN CERTIFICATE-----
MIIDaDCCAtGgAwIBAgIKMfrHUQAAAABbMDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA2MDUwMDUyMTRaFw0xMzA2MDUwMTAyMTRa
MGMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
...
Zfhf9Lio+EplEmBc
-----END CERTIFICATE-----
 :::

and the log format is "[NDC] LEVEL TIMESTAMP FILE:METHOD:LINE ::: MESSAGE :::"
(I attempted to put unique separators before and after the message to help with parsing)

Was it helpful?

Solution

Try setting 'appendNonMatches' to false in the receiver configuration.

If that doesn't work, provide a few lines of your log file (a mix of single and multi-lines) and I can tell you what you need to do configuration-wise.

It might be a bug too, will have to see.

A few notes after your responses:

  • AppendNonMatches=false is probably ok if you are using a single logging framework/layout (not randomly embedding printf-style output)..but..missed matches are dropped on the floor with this set to false, so beware..
  • I've never bothered testing with an end delimiter for the message - it is pretty much required that the message is the last field in the log message, because of the potential variability of the content in the message field.
  • If you have multiple lines starting with: (tab)at - those fields should be converted into to the throwable field.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top