From 261b07deb6ba80859fea92aad3ad39759f2000c1 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 20 Oct 2015 09:43:11 -0700
Subject: [PATCH] Special case ansible logs

Special case ansible logs which don't have timestamps in console logs as
non multiline events. This should clean up some of our mutltiline event
merging that is happening where it shouldn't.

Note that we make the ansible line not match the multiline filter to
force the previous event to be flushed as is. The ansible line will then
fail the grok filter and become a grok failure as the timestamp is
missing.

Change-Id: I2d3afa3e97dc3c7e02be17268821482c7df60ef3
---
 modules/openstack_project/templates/logstash/indexer.conf.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/openstack_project/templates/logstash/indexer.conf.erb b/modules/openstack_project/templates/logstash/indexer.conf.erb
index d18cef39b2..7b4eaf8ce5 100644
--- a/modules/openstack_project/templates/logstash/indexer.conf.erb
+++ b/modules/openstack_project/templates/logstash/indexer.conf.erb
@@ -18,7 +18,9 @@ filter {
     }
     multiline {
       negate => true
-      pattern => "^%{TIMESTAMP_ISO8601} \|"
+      # Special case ansible output here because it likes to go on its own
+      # line without a timestamp but isn't part of a mulitline event.
+      pattern => "(^%{TIMESTAMP_ISO8601} \||^%{WORD}%{SPACE}\|%{SPACE}%{WORD}%{SPACE}\|%{SPACE}rc=%{NUMBER}%{SPACE}>>$)"
       what => "previous"
       stream_identity => "%{host}.%{filename}"
     }