Multiline parsers

You can define custom multiline parsers in the multiline_parsers section of YAML configuration files.

To define standard custom parsers, use the parsers section of YAML configuration files.

Syntax

To define custom parsers in the multiline_parsers section of a YAML configuration file, use the following syntax:

multiline_parsers:
  - name: multiline-regex-test
    type: regex
    flush_timeout: 1000
    rules:
      - state: start_state
        regex: '/([a-zA-Z]+ \d+ \d+:\d+:\d+)(.*)/'
        next_state: cont
      - state: cont
        regex: '/^\s+at.*/'
        next_state: cont

This example defines a multiline parser named multiline-regex-test that uses regular expressions to handle multi-event logs. The parser contains two rules: the first rule transitions from start_state to cont when a matching log entry is detected, and the second rule continues to match subsequent lines.

For information about supported configuration options for custom multiline parsers, see configuring multiline parsers.

PreviousParsers NextPipeline

Last updated 1 day ago

Was this helpful?