Dissect processor before multiline parser

Dano_Logos · May 27, 2025, 10:07am

Hello,
I first want to filter prefixes from logs and then merge them into multiline. Currently you can do both as a single feature and also dissect after multiline, but you first can create multilines and then manipulate prefixes - the order is set.

  multiline.type: pattern
  multiline.pattern: '^.* \| \[[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

  processors:
    - dissect:
        tokenizer: "%{prefix} | %{message}"
        field: "message"
        target_prefix: ""

How would you currently handle it to get the reverse order?

andrewkroh · May 29, 2025, 1:10am

You cannot change the order. Multiline aggregation is built into the input (like log or filestream), and processors are always run on the events emitted from the inputs.

The current design of processors doesn’t support aggregation, so we couldn’t move multiline into that stage. Processors follow a model of one event in and one event out, so this interface doesn’t allow aggregating multiple events into a single one.

Topic		Replies	Views
Multiline - multiple level of multiline in Filebeat Beats filebeat	5	349	April 9, 2020
Multiline configuration Beats filebeat	7	2053	August 29, 2016
Exclude data before multiline? Beats filebeat	3	1423	October 11, 2016
Dissect combined with multiline pattern gives errors Beats filebeat	6	3262	August 5, 2020
In what order are the options processed Beats filebeat	3	801	July 5, 2017

Dissect processor before multiline parser

Related topics