Exclude lines not working with multiline

EliWallic · April 16, 2020, 9:46pm

Hello,

I am trying to import some logs and configured it with an exclusion line and multiline.
If I configure just the exclusion its working for this but if I also configure multiline in addition it seems to be ignored as the lines which should be excluded were imported.
All is send to logstash.

Config:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:/Logs/**
  exclude_lines: ['^[*]+$']
  multiline.pattern: ^Command start
  multiline.negate: true
  multiline.match: after

What I have:

**********************
Command start time: 20200416214821
**********************
**********************
Start time: 20200416214819
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
**********************
True
**********************
**********************
Command start time: 20200416225643
**********************
**********************
Start time: 20200416225312
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
**********************
False
**********************

What I try:

all ********************** should be exluded (not working)
From 'Command start' till the next should be one event (working)

Any idea whats wrong?

Best Regards

mtojek · April 17, 2020, 6:48am

You can try to figure out the best fit for your format using the Grok debugger: https://grokdebug.herokuapp.com/

EliWallic · April 17, 2020, 6:41pm

Hi,

thanks but I am a little confused. If I use the two links from here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

http://grokdebug.herokuapp.com/ - it shows nothing
http://grokconstructor.appspot.com/ - it shows the right matches

EliWallic · April 17, 2020, 9:03pm

Found a solution for me. The regex wasnt correct.

system · May 15, 2020, 9:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.