module LogStash

This class is a Codec duck type Using Composition, it maps from a stream identity to a cloned codec instance via the same API as a Codec it implements the codec public API

The multiline codec will collapse multiline messages and merge them into a single event.

IMPORTANT: If you are using a Logstash input plugin that supports multiple hosts, such as the <<plugins-inputs-beats>> input plugin, you should not use the multiline codec to handle multiline events. Doing so may result in the mixing of streams and corrupted event data. In this situation, you need to handle multiline events before sending the event data to Logstash.

The original goal of this codec was to allow joining of multiline messages from files into a single event. For example, joining Java exception and stacktrace messages into a single event.

The config looks like this:

source,ruby

input {

stdin {
  codec => multiline {
    pattern => "pattern, a regexp"
    negate => "true" or "false"
    what => "previous" or "next"
  }
}

}

The `pattern` should match what you believe to be an indicator that the field is part of a multi-line event.

The `what` must be `previous` or `next` and indicates the relation to the multi-line event.

The `negate` can be `true` or `false` (defaults to `false`). If `true`, a message not matching the pattern will constitute a match of the multiline filter and the `what` will be applied. (vice-versa is also true)

For example, Java stack traces are multiline and usually have the message starting at the far-left, with each subsequent line indented. Do this:

source,ruby

input {

stdin {
  codec => multiline {
    pattern => "^\s"
    what => "previous"
  }
}

}

This says that any line starting with whitespace belongs to the previous line.

Another example is to merge lines not starting with a date up to the previous line..

source,ruby

input {

file {
  path => "/var/log/someapp.log"
  codec => multiline {
    # Grok pattern names are valid! :)
    pattern => "^%{TIMESTAMP_ISO8601} "
    negate => true
    what => "previous"
  }
}

}

This says that any line not starting with a timestamp should be merged with the previous line.

One more common example is C line continuations (backslash). Here's how to do that:

source,ruby

input {

stdin {
  codec => multiline {
    pattern => "\\$"
    what => "next"
  }
}

}

This says that any line ending with a backslash should be combined with the following line.