Exclude lines not working with multiline

Hello,

I am trying to import some logs and configured it with an exclusion line and multiline.
If I configure just the exclusion its working for this but if I also configure multiline in addition it seems to be ignored as the lines which should be excluded were imported.
All is send to logstash.

Config:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:/Logs/**
  exclude_lines: ['^[*]+$']
  multiline.pattern: ^Command start
  multiline.negate: true
  multiline.match: after

What I have:

**********************
Command start time: 20200416214821
**********************
**********************
Start time: 20200416214819
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
**********************
True
**********************
**********************
Command start time: 20200416225643
**********************
**********************
Start time: 20200416225312
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
**********************
False
**********************

What I try:

• all ********************** should be exluded (not working)
• From 'Command start' till the next should be one event (working)

Any idea whats wrong?

Best Regards

You can try to figure out the best fit for your format using the Grok debugger: https://grokdebug.herokuapp.com/

Hi,

thanks but I am a little confused. If I use the two links from here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

http://grokdebug.herokuapp.com/ - it shows nothing
http://grokconstructor.appspot.com/ - it shows the right matches

Found a solution for me. The regex wasnt correct.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.