TELEMETRY PIPELINE
Multiline join

Multiline join

The multiline join processing rule combines multiple logs into a single log by looking for repeating patterns in log data.

Configuration parameters

Use the parameters in this section to configure this processing rule. The Telemetry Pipeline web interface uses the items in the Name column to describe these parameters. Pipeline configuration files use the items in the Key column as YAML keys.

NameKeyDescriptionDefault
Source keysrcRequired. The key that contains the log data to combine. This key's value must be a string, as the rule can't parse standard JSON objects, but it can parse escaped JSON strings.log
RegexregexRequired. The regular expression that determines which logs to combine. When a log that contains a matching string is found, that log plus all subsequent logs are combined until another log is reached that also contains a matching string. The new matching log becomes the start of the next combined log, and the pattern repeats.none
Regex engineregexEngineRequired. The engine to parse your regular expression. Accepted values: GNU, Oniguruma, PCRE2, POSIX, TRE.PCRE2
Maximum lineslineLimitRequired. The maximum number of logs that can be combined into a single log. This setting is a failsafe designed to prevent the rule from falling into an endless loop if it can't find the specified Regex pattern after a certain number of logs.1000
CommentcommentA custom note or description of the rule's function. This text is displayed next to the rule's name in the Actions list in the processing rules interface.none

Examples

Using the multiline join processing rule lets you group related logs together. You can use this rule to combine data that was inadvertently split into multiple parts, like a stack trace where each line of the message was assigned to its own log.

JSON logs

For example, given this sample log data:

{"inventory":"fruit:apricot"}
{"inventory":"vegetable:artichoke"}
{"inventory":"vegetable:asparagus"}
{"inventory":"fruit:banana"}
{"inventory":"vegetable:butternut_squash"}
{"inventory":"fruit:cantaloupe"}
{"inventory":"vegetable:cauliflower"}
{"inventory":"vegetable:corn"}
{"inventory":"vegetable:cucumber"}
{"inventory":"fruit:durian"}
{"inventory":"vegetable:daikon"}
{"inventory":"fruit:elderberry"}
{"inventory":"vegetable:edamame"}

A processing rule with the Source key value inventory and the Regex value fruit returns the following result:

{"inventory":"fruit:apricot\nvegetable:artichoke\nvegetable:asparagus"}
{"inventory":"fruit:banana\nvegetable:butternut_squash"}
{"inventory":"fruit:cantaloupe\nvegetable:cauliflower\nvegetable:corn\nvegetable:cucumber"}
{"inventory":"fruit:durian\nvegetable:daikon"}
{"inventory":"fruit:elderberry\nvegetable:edamame"}

This rule searched for logs in the inventory key that contained the string fruit, then combined each of those logs with any subsequent logs that didn't contain the string fruit. After the rule found another log that contained the string fruit, it started over and repeated the same pattern.

Raw logs

To combine raw logs, always use the value log for Source key.

You can also use the multiline join rule to combine raw logs. For example, given this sample log data:

Exception in thread "main" java.lang.RuntimeException:
    at com.storefront.module.Checkout.paymentProcess(Checkout.java:71)
    at com.storefront.module.Checkout.billingAddress(Checkout.java:435)
    at com.storefront.module.Checkout.shippingAddress(Checkout.java:742)
    at com.storefront.module.Checkout.main(Checkout.java:6)
Exception in thread "main" java.lang.NullPointerException:
    at com.storefront.module.Listing.productPhoto(Listing.java:84)
    at com.storefront.module.Listing.productColorway(Listing.java:219)
Exception in thread "main" java.lang.RuntimeException:
    at com.storefront.module.Settings.country(Settings.java:149)
    at com.storefront.module.Settings.currencyType(Settings.java:736)
    at com.storefront.module.Settings.main(Checkout.java:11)

A processing rule with the Source key value log and the Regex value exception returns the following result:

{"log":"Exception in thread \"main\" java.lang.RuntimeException:\n    at com.storefront.module.Checkout.paymentProcess(Checkout.java:71)\n    at com.storefront.module.Checkout.billingAddress(Checkout.java:435)\n    at com.storefront.module.Checkout.shippingAddress(Checkout.java:742)\n    at com.storefront.module.Checkout.main(Checkout.java:6)"}
{"log":"Exception in thread \"main\" java.lang.NullPointerException:\n    at com.storefront.module.Listing.productPhoto(Listing.java:84)\n    at com.storefront.module.Listing.productColorway(Listing.java:219)"}
{"log":"Exception in thread \"main\" java.lang.RuntimeException:\n    at com.storefront.module.Settings.country(Settings.java:149)\n    at com.storefront.module.Settings.currencyType(Settings.java:736)\n    at com.storefront.module.Settings.main(Checkout.java:11)"}

Chronosphere Telemetry Pipeline assigned a new log key to each raw event. After that transformation, this rule searched for logs with the log key that contained the string exception, then combined each of those logs with any subsequent logs that didn't contain the string exception. After the rule found another log that contained the string exception, it started over and repeated the same pattern.