By default, Filebeat parse log files line by line and create message events after every new line. Is there any way i can have whole log file in one message event instead of chunks in elastic search.
the use case is not something i would recommend but you can use the multiline option on the prospector with a very high setting for multiline.max_lines
https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html
you would have to search a regex that is never the beginning of a line... that will be the hard part
Edit:
you could try something like
multiline.pattern: '^.'
multiline.negate: false
multiline.match: after
multiline.max_lines: 1000000
Thanks, this one works for me.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.