hi,
I have a multiline configuration like this:
multiline.pattern : '^.{22}*'
multiline.negate: false
multiline.match: after
and filebeat joins the lines if a * is found at column 23
each original line has a \t to separate fields, so it would be nice if filebeat add a \t before joining lines
So, If a line has 10 \t separator, it is a concatenation of two lines; if a line has 15 \t separator; it is a concatenation of three lines and so on.
Is it possible ?
Do you have some sample logs and output you want? Filebeat splits lines on \n or \r\n only. A custom split pattern for events is not yet configurable.
For example,
2017/10/23 l1f1\tl1f2\l1f3
2017/10/23 *l2f1\tl2f2\l2f3
and driven by the star in column 12,
2017/10/23 l1f1\tl1f2\l1f3\t2017/10/23 *l2f1\tl2f2\l2f3
If I understand you correctly, you want to replace * with \t. Filebeat still inserts the \n character. You will have to use logstash or elasticsearch ingest node to do additional processing to replace characters.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.