Dissect processor before multiline parser

Dano_Logos · May 27, 2025, 10:07am

Hello,
I first want to filter prefixes from logs and then merge them into multiline. Currently you can do both as a single feature and also dissect after multiline, but you first can create multilines and then manipulate prefixes - the order is set.

  multiline.type: pattern
  multiline.pattern: '^.* \| \[[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

  processors:
    - dissect:
        tokenizer: "%{prefix} | %{message}"
        field: "message"
        target_prefix: ""

How would you currently handle it to get the reverse order?

andrewkroh · May 29, 2025, 1:10am

You cannot change the order. Multiline aggregation is built into the input (like log or filestream), and processors are always run on the events emitted from the inputs.

The current design of processors doesn’t support aggregation, so we couldn’t move multiline into that stage. Processors follow a model of one event in and one event out, so this interface doesn’t allow aggregating multiple events into a single one.

Topic		Replies	Views
Multiline - multiple level of multiline in Filebeat Beats filebeat	5	349	April 9, 2020
Dissect first then multiline in filebeat Beats filebeat	3	144	January 8, 2025
Dissect combined with multiline pattern gives errors Beats filebeat	6	3251	August 5, 2020
Filebeat dissect line break Beats filebeat	7	1697	June 3, 2021
Filebeat exclude lines with multiline Beats filebeat	2	725	September 19, 2022

Dissect processor before multiline parser

Related topics