Special case ansible logs

Special case ansible logs which don't have timestamps in console logs as non multiline events. This should clean up some of our mutltiline event merging that is happening where it shouldn't. Note that we make the ansible line not match the multiline filter to force the previous event to be flushed as is. The ansible line will then fail the grok filter and become a grok failure as the timestamp is missing. Change-Id: I2d3afa3e97dc3c7e02be17268821482c7df60ef3
2015-10-20 09:43:11 -07:00 · 2015-10-20 09:43:11 -07:00 · 261b07deb6
commit 261b07deb6
parent 6b88bbd29b
1 changed files with 3 additions and 1 deletions
--- a/modules/openstack_project/templates/logstash/indexer.conf.erb
+++ b/modules/openstack_project/templates/logstash/indexer.conf.erb
@ -18,7 +18,9 @@ filter {
    }
    multiline {
      negate => true
-      pattern => "^%{TIMESTAMP_ISO8601} \|"
+      # Special case ansible output here because it likes to go on its own
+      # line without a timestamp but isn't part of a mulitline event.
+      pattern => "(^%{TIMESTAMP_ISO8601} \||^%{WORD}%{SPACE}\|%{SPACE}%{WORD}%{SPACE}\|%{SPACE}rc=%{NUMBER}%{SPACE}>>$)"
      what => "previous"
      stream_identity => "%{host}.%{filename}"
    }