Multiline logging failed to take effect

[jkqjkq]

Judging from the left side of the picture, these log messages are not sent together, sent line by line

configuration information

docker run -d --name="logspout" --volume=/var/run/docker.sock:/var/run/docker.sock \
--volume=/etc/hostname:/etc/host_hostname:ro -p 8000:80 \
-e MULTILINE_PATTERN='^\[\d{4}-\d{2}-\d{2}' \
-e LOGSPOUT=ignore  \
-e MULTILINE_MATCH=first \
gliderlabs/logspout \
multiline+syslog+tcp://172.17.0.1:5000

[jkqjkq]

With "tcp", there will be a problem, after removing it, use the default "udp", there is no problem

[lukasa1993]

same problem with tls

[mauropanzeriitaliaonline]

resuscitating this issue for whomever come here searching for a solution to this very problem: thoroughly search for non-printable characters in your logs.
In my case, docker container's emitting the logs, were prepending an ANSI color at the beginning of each line, followed by a date.
so after a lot of trial and error i came up with my specific case:

      - MULTILINE_MATCH=first
      - MULTILINE_PATTERN=^(.\[2m)(\d{4}-\d{2}-\d{2})

.\[2m is the "color" for my case, it could change for you.
try to capture the raw log from the original docker container to catch these hidden chars.

A more general regex to detect ANSI color is:

\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]

(also useful to remove them with a mutate => gsub to remove them in logstash)