Filbeat, Fields and Multiline

Kryten · September 1, 2016, 9:57am

Hi,

I'm testing out some configurations with Filebeat and one thing which I am struggling to accomplish is having Filebeat add some form of indication to the event if it has been handled by multiline.

The events are being sent to a Logstash layer within which I would like to test whether or not the event is a multline. if the event is a multiline we'd like to just send the event 'as is', but if not we would like to further enrich the event before sending to ES.

Having a simple way to test whether or not the event is a multiline by testing for the existence of a basic field or value seems like the simplest way to do this. If we cannot inject a field or tag to test on are there any other techniques that could be used?

Thanks

steffens · September 1, 2016, 11:44am

This currently not possible. Related github ticket.

Kryten · September 1, 2016, 1:13pm

Thanks very much. No update on that enhancement since April? Can I take that to mean its not very likely to happen?

ruflin · September 1, 2016, 1:27pm

There is already an open PR, but WIP: https://github.com/elastic/beats/pull/2279

system · September 22, 2016, 9:57am

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and Multiline Problem Beats filebeat	3	1195	September 14, 2016
Multline Logs via filebeat Beats filebeat	3	343	April 10, 2018
Filebeat and multiline events Logstash	1	184	May 27, 2021
Add 'multiline' to tags field Beats filebeat	5	2154	July 5, 2017
Unable to push multiline events from Filebeat to Logstash Beats filebeat	1	365	September 15, 2020

Filbeat, Fields and Multiline

Related topics