Logstash parser for PHP's error_log to combine multline stack traces / errors into one event

php-error-logstash.conf

input {
    stdin {
        codec => multiline {
            pattern => "^\[%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{TZ}\]"
            negate => true
            what => "previous"
            auto_flush_interval => 10
        }
        type => "php-error"
    }
}

filter {
    grok {
        match => { "message" => "^\[(?<logtime>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{TZ})\] ?%{GREEDYDATA:message}" }
        overwrite => [ "message" ]
    }

    date {
        match => [ "logtime", "d-MMM-yyyy HH:mm:ss ZZZ" ]
        remove_field => [ "logtime" ]
    }
}

output {
    stdout {
        codec => rubydebug
    }
}