Having an issue with a multiline parser in one of own filebeat instance type of Redhat AMQ log which puzzles me, so any hints are appreciated, TIA.
See all events dropped in filebeat log due to error like this:
{\"type\":\"mapper_parsing_exception\",\"reason\":\"failed to parse field [@timestamp] of type [date] in document with id 'mL4KJogBExph4ByXEjTj'. Preview of field's value: '2023-05-16 21:29:19,658'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2023-05-16 21:29:19,658] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"date_time_parse_exception: Failed to parse with all enclosed parsers\"}}}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}
Our parser like like this:
parsers:
- multiline:
type: pattern
# Example: 2022-07-06 10:29:32 ...
# Example: 2022-07-06 10:29:28,022 ...
# Example: 2023-05-15 15:20:18,676 INFO
pattern: '^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}'
negate: true
match: after
max_lines: 5000
Similar parser is work fine for other logs in other instances.