I've got an odd issue that I'm hoping someone smarter than me can shed light on.
I'm collecting logs from a Linux server. The logs in question look like this:
Code: Select all
[2019/05/14-11:51:40.097] [FT-ScenarioThread-Xm6NvwMU-411624] [INFO] [dip.scenarios.mail.abstract] scenario PUBLICAPITESTING.SHOULDFAIL#2019-05-14-11-51-39-307 - Expanded message body text to
****Operations Support Alert****
line1^Mline2^Mline3
****End Operations Support Alert****
I'm ingesting these logs into NLS via a multiline input with the following filter:
Code: Select all
tcp {
type => dataiku_multiline
codec => multiline {
pattern => '^<133>%{GREEDYDATA}\[[0-9]{4}[/][0-9]{2}[/][0-9]{2}[-][0-9]{2}[:][0-9]{2}[:][0-9]{2}.[0-9]{3}\]'
negate => true
what => previous
}
port => 6688
}
The logs appear in NLS and look like this:
Code: Select all
<133>May 14 11:51:41 XXXXXXXX dataiku_multiline: [2019/05/14-11:51:40.097] [FT-ScenarioThread-Xm6NvwMU-411624] [INFO] [dip.scenarios.mail.abstract] scenario PUBLICAPITESTING.SHOULDFAIL#2019-05-14-11-51-39-307 - Expanded message body text to
<133>May 14 11:51:41 XXXXXXXXXX dataiku_multiline: ****Operations Support Alert****
<133>May 14 11:51:41 XXXXXXXXXX dataiku_multiline: [b]line1
line2
line3
[/b]<133>May 14 11:51:41 XXXXXXXXXX dataiku_multiline: ****End Operations Support Alert****
Now things start to go sideways. When my alert fires and emails me, here's what I get:
Code: Select all
<133>May 14 11:51:41 XXXXXXX dataiku_multiline: [2019/05/14-11:51:40.097] [FT-ScenarioThread-Xm6NvwMU-411624] [INFO] [dip.scenarios.mail.abstract] scenario PUBLICAPITESTING.SHOULDFAIL#2019-05-14-11-51-39-307 - Expanded message body text to <133>May 14 11:51:41 XXXXXXXX dataiku_multiline: ****Operations Support Alert**** <133>May 14 11:51:41 XXXXXXXXX dataiku_multiline: line1line2line3 <133>May 14 11:51:41 XXXXXXXX dataiku_multiline: ****End Operations Support Alert****Anyone have any idea of why this is happening and how to make the messages come across with the correct LF/CR encodings?
Thanks,
-- Mike Beebe
