I have FileBeat running with the multiline option feeding Logstash with a grok filter and everything seems to parse properly and ingest into Elasticsearch fine. The problem is display in Kibana. I have a pie-chart that displays logger and logmessage fields but those loggers associated with an error loglevel (all of which are stacktraces) appear to have no logmessage - but the Discover tab does show those events as having a multiline logmessage. I have another visualization on my dashboard, a data table, that just shows logmessages. When I drill down on the pie-chart to filter to error level events, the data table also becomes empty.
Does kibana have trouble displaying multiline values? I think I expect to see the first few words truncated to display area.
Sorry I can't provide screenshots - I'm on a private network. I'm probably not describing it very well but it's simply that multiline strings are not displayed. Is this normal?
I'll try to elaborate a little more. Every event has "logger" and "logmessage" fields. I have a pie-chart with two rings. The inner is my "logger" field and the outer is my "logmessage" field. All the "logger" segments have one or more "logmessage" values except for those with a multiline "logmessage" (stacktraces in my original log file). Those segments appear empty - no color, no hover - in the outer ring. I'm not sure what should appear: a multiline hover or just the first line, but something should appear.
Kibana doesn't have any issue with multi-line values. The data set that I use had several of them. There must be an issue elsewhere, but I'm having a hard idea where that might...
Thanks for replying Spencer. How do the multiline values appear, for instance, when hovering in a pie-chart? Do you see the whole 20+ lines or just one line?
I'm using split slices for terms for both logger.raw and logmessage.raw. Logger on the inside and logmessage on the outer ring. The logger in question is accompanied with a blank section in the outer ring - no mouseover or color. Yet I see that logger in Discover with a multiline logmessage!
Further, if I create a new pie-chart for term "logmessage.raw" and enter into the search field at top of the page the logmessage in question it displays in the chart fine.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.