Filbeat exclude and multiline configuration

nmoham · June 14, 2020, 11:26pm

Example Events -

time,thread,logger,level,message
2020-06-11 09:46:50.3836,7,Logs.Shared.ServiceBehaviors.ServiceExceptionHandlerBehavior,Debug,applying ServiceExceptionHandler to UsersService
time,thread,logger,level,message
2020-06-11 10:48:58.2763,7,Logs.Shared.ServiceBehaviors.ServiceExceptionHandlerBehavior,Debug,applying ServiceExceptionHandler to UsersService
time,thread,logger,level,message
2020-06-11 12:09:19.0674,10,Logs.Shared.ServiceBehaviors.ServiceExceptionHandlerBehavior,Debug,applying ServiceExceptionHandler to UsersService
time,thread,logger,level,message
2020-06-11 13:04:28.3982,10,Logs.Shared.ServiceBehaviors.ServiceExceptionHandlerBehavior,Debug,applying ServiceExceptionHandler to UsersService

I am trying to exclude the line time,thread,logger,level,message and at the sametime, I may have multiple lines to the original event.

I'm using the following processor, so that all the log files as inputs are affected -

  - drop_event:
      when:
        regexp:
          message: "^time|.*Signal.*|.*MetricsErrorHandler.*"

I also tried exclude lines, but the events time,thread,logger,level,message are getting appended to the log event of interest.

  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

Appreciate any ideas / help.

Mario_Castro · June 15, 2020, 8:45am

I'm not sure about the internals of Filebeat in this case, but I'll try making a less strict pattern. Maybe remove the ^ in ^time| and simply write time,thread,logger,level,message directly.

system · July 13, 2020, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.