Example Logstash config to parse Java / Scala multiline logs (e.g. stacktraces) into ES

Java/Scala stack traces are multiline and usually it have the message starting from

Any line which isn't starting with '[' will be joined into previous one having '[' at the beginning

E.g. this works with Logstash 1.4.0+:

if [type] == "app_logs" {
    multiline {
      pattern => "^[^\[]"
      what => "previous"
    }
    grok {
      match => { "message" => "\[(?<app_log_timestamp>.+)] \[%{WORD:app_name}\] \[(?<thread_name>.+)\] \[(?<class_name>.+)\] \[(?<marker>[a-zA-Z]*)\] \[(?<transaction_id>.*)\] \[%{WORD:log_level}\]: ?%{GREEDYDATA:msg}" }
    }
    date {
      match => ["app_log_timestamp", "MM/dd HH:mm:ss:SSS", "ISO8601"]
      target => "@timestamp"
      add_tag => [ "timestamp_updated_w_log_value" ]
      remove_field => [ "app_log_timestamp" ]
    }
}

This works for all Java multiline logs, the only rule is to not start multiline log newlines from '['.

Useful link: http://logstash.net/docs/1.4.0.rc1/filters/multiline

Also starting from Logstash 1.2 there is a 'multiline' codec (http://logstash.net/docs/1.2.2/codecs/multiline). But I didn't get it work properly with Logstash 1.4. What have I tried:

input {
  file {
      codec => multiline {
        pattern => "^\s"
        what => "previous"
      }
    ..... file path and so on
  }
}

What issue did I met with 'multiline' codec: Java stacktraces were parsed without the very first line. E.g. in ES I was getting:

java.lang.RuntimeException: Exception while executing statement : An I/O error occurred while sending to the backend. errorCode: 0, sqlState: 08006 at ... [other stacktrace lines omitted]

Instead of expected:

[06/24 16:43:51:393] [app_name] [pool-99-thread-999] [ClassName] [smth0] [bar] [ERROR]: Cannot load XXX java.lang.RuntimeException: Exception while executing statement : An I/O error occurred while sending to the backend. errorCode: 0, sqlState: 08006 at ... [other stacktrace lines omitted]