Hi,
I have put a prospector onto a logfile [1], that is written as XML. An events is wrapped in tags, so I defined a multiline for the beat
multiline:
type: pattern
pattern: '<c>'
negate: true
match: after
matching on '' and taking everything from there to (already tried to go before and revert the matching)
However, the events I see on my logstash node as receiver are all one event per line, i.e.,
"message": " <a n=\"RunRemoteUsage\"><s>Usr 0 00:00:29, Sys 0 00:00:13</s></a>"
.../next event/...
"message": " <a n=\"TotalLocalUsage\"><s>Usr 0 00:00:00, Sys 0 00:00:00</s></a>"
.../next event/...
So, I am looking for the bug, why the events are not send as 'proper' multiline events?
Maybe somebody has an idea for me, what I have been missing ehre?
Cheers and thanks,
Thomas
[1]
<c>
<a n="TriggerEventTypeName"><s>ULOG_EXECUTE</s></a>
<a n="Proc"><i>0</i></a>
<a n="Subproc"><i>0</i></a>
<a n="EventTypeNumber"><i>28</i></a>
</c>
<c>
<a n="RunRemoteUsage"><s>Usr 1 05:36:14, Sys 0 01:51:08</s></a>
<a n="TotalLocalUsage"><s>Usr 0 00:00:00, Sys 0 00:00:00</s></a>
<a n="ReturnValue"><i>0</i></a>
<a n="RunLocalUsage"><s>Usr 0 00:00:00, Sys 0 00:00:00</s></a>
</c>
<c>
<a n="RunRemoteUsage"><s>Usr 0 00:02:57, Sys 0 00:01:18</s></a>
<a n="TotalLocalUsage"><s>Usr 0 00:00:00, Sys 0 00:00:00</s></a>
<a n="TotalReceivedBytes"><r>0.0</r></a>
</c>