Add 'multiline' to tags field

incogniro · February 9, 2016, 2:38pm

The logstash multiline plugin adds the value 'multiline' to tags. Then it is possible to perform additional processing of such events:


if 'multiline' in [tags] {
 ....
}

Are there plans to add this into Filebeat?

magnusbaeck · February 9, 2016, 2:42pm

I'm curious, what conditional extra processing do you perform just because the line was joined from multiple physical lines?

incogniro · February 9, 2016, 2:44pm

if 'multiline' in [tags] {
  mutate { # Replace all new line characters with a label.
    gsub => [ '[@metadata][message]', '\n', '<<NEWLINE>>' ] 
  }
}

The newline characters are replaced with a label which another system uses to parse the line.

steffens · February 9, 2016, 10:59pm

Feel free to add an enhancement request to github.com/elastic/beats. Some indicator to flag merged lines totally makes sense.

incogniro · February 10, 2016, 12:58pm

Enhancement to include indication of a multiline has been recorded.

Topic		Replies	Views
Why beats does not add tag after aggregated mutilline Beats	2	284	August 3, 2018
Add field multiline under multiline filebeat/logstash Logstash	2	464	March 22, 2022
Add_tag upon max_lines reached in multiline Beats filebeat	3	857	June 29, 2016
Filbeat, Fields and Multiline Beats	4	741	September 22, 2016
Multiline codec in if else condition in beat input of logstash Logstash	8	2523	January 15, 2018

Add 'multiline' to tags field

Related Topics