Recover only a part of a log with multiline codec

Hello again,
I’m now having trouble with some particular logs.


As you can see, these are “multiline” logs : the message is continuing in the next lines. But (as you can see too), they start again with the same pattern.
What I’ve done :

I’ve determined this multiline codec :

codec => multiline{
patterns_dir => "./patterns"
pattern => "^%{TIMESTAMP_ISO8601} %{POSINT} %{LOGLEVEL} (?:%{USERNAME}|?) %{PROG}: {1}"
negate => true
what => previous
}
So if there are more than one blank space after the pattern, it's part of the previous log.
But here's the problem : How can I say to logstash to only take what is after the pattern ?
I've tried, and it give me something pretty weird. Thanks in advance for the help.

I think you are looking for something like this. Obviously I cannot test this. But I am doing something similar, where anything not starting with a datestamp in the specific format is multiline. Work fine for my logs.

multiline { pattern => “%{TIMESTAMP_ISO8601} %{POSINT} %{LOGLEVEL} (?:%{USERNAME}|?) %{PROG}:\s” negate => true what => “previous” }

Here is my working code. I modified this to attempt to make yours work.

<br/> multiline {<br/> pattern =&gt; "[%{DAY}-%{MONTHNUM}-%{MONTHDAY} %{TIME},"<br/> negate =&gt; true<br/> what =&gt; "previous"<br/> }

As I said to you in your post : reverse effect. My issue is probably only my pattern, and I will find what i’ve done wrong

I changed the end of my regex from " {1}" to " %{NOTSPACE}". It works again, but everything is concatenated dumbly.

I didn’t find the equivalent of “stream_identity” in codec, so I’m stuck again.

Need help, anyone please