Telegraf Tail plugin - Multiline management

Hi,

I’m using Telegraf and its tail plugin to collect several logfiles.

Everything is send with data_format = “json” ( I can’t change this way for project reasons)

For classical logfile, I have no problem using this configuration:

[[inputs.tail]] 
   files = ["/my/log/path/example.log"]

  name_override = "example_index"
  from_beginning = true
  watch_method = "inotify"

  data_format = "grok" 
  grok_patterns = [""%{GROK1}"]
  grok_custom_pattern_files = ["/etc/telegraf/grok/grok1.grok"]

However, This works only for my logfile having one line per log.
When it comes to multiline logfile, telegraf is not able to identify all the content of the log.

So I wish i could use [inputs.tail.multiline] or just add those parameters to my previous example:

pattern = "^%{TIMESTAMP_ISO8601:date}"
match_which_line = "previous"
invert_match = false 

However it seems this method cant take files input as argument !

Is there really no solution for this ?

Thanks !

Hi Gl0ups, the multiline pattern setting only accepts regular expressions, not grok patterns. You might be able to do what you want if you find a regexp equivalent for TIMESTAMP_ISO8601:date.

There are lots of valid iso8601 date formats so you may have to write one that matches the particular date format you are using. Here’s a page that has a few regexps you can try: 4.7. Validate ISO 8601 Dates and Times - Regular Expressions Cookbook, 2nd Edition [Book]

Good luck