Filbeat, Fields and Multiline

Kryten · September 1, 2016, 9:57am

Hi,

I'm testing out some configurations with Filebeat and one thing which I am struggling to accomplish is having Filebeat add some form of indication to the event if it has been handled by multiline.

The events are being sent to a Logstash layer within which I would like to test whether or not the event is a multline. if the event is a multiline we'd like to just send the event 'as is', but if not we would like to further enrich the event before sending to ES.

Having a simple way to test whether or not the event is a multiline by testing for the existence of a basic field or value seems like the simplest way to do this. If we cannot inject a field or tag to test on are there any other techniques that could be used?

Thanks

steffens · September 1, 2016, 11:44am

This currently not possible. Related github ticket.

Kryten · September 1, 2016, 1:13pm

Thanks very much. No update on that enhancement since April? Can I take that to mean its not very likely to happen?

ruflin · September 1, 2016, 1:27pm

There is already an open PR, but WIP: https://github.com/elastic/beats/pull/2279

system · September 22, 2016, 9:57am

This topic was automatically closed after 21 days. New replies are no longer allowed.