File beat multiline is not working for XML type of files

rajkamalkool6 · March 22, 2016, 6:34am

Hi,

I am using logstash 2.2.1 ,logstash-input beats-2.1.3 and filebeat 1.1.2 . I have some XML type of log files. I have written beats config. I am facing the following issue

Issue 1: The xml log file multiline events are not getting combined into single event as expected.

Below is my beats yml file configuration.

> filebeat:
>   prospectors:
>     -
>       paths:
>          - /logs/mylogs/2015*/*.xml
>       document_type: server_log
>       registry_file: /myarea/config/mylogs/.filebeat      
>   multiline:
    pattern: "^<error"
>     negate: true
>     match: after
> output: 
>   logstash:     
>      hosts: ["localhost:11689"]
> console:
>     pretty: true

My sample XML log will be in below format

<error id="1qas79" host="hhy789">
<snapshot>
<variable name="a">
  <item string="sss"> </item>
</variable>
</snapshot>
</error>

steffens · March 22, 2016, 11:30am

For regexes better use single quotes: pattern: '^<error'.

See this regex sample code and press run. Every line beginning with false should indicate a new multiline-event

Content is 2 xml events as mentioned in variable content, and regular expression in pattern. Try by replacing content with a few events/lines from your original logs and see if pattern works ok.

Is there a chance of having whitespace before <error>?

rajkamalkool6 · March 22, 2016, 11:46am

Thanks for your guidance. Let me try your suggestion and let you know the result.

There is no whitespace before my tag <error>

rajkamalkool6 · March 25, 2016, 5:59am

Hi Steffen, I have tried the pattern: '^<error'. and I also include one more proerty in my beats YML file. input_type: xml. After this my issue got resolved.

Thank you steffen

ruflin · March 27, 2016, 7:32pm

@rajkamalkool6 input_type: xml is not a valid input type. Not sure how that helped?

steffens · March 29, 2016, 12:05pm

you sure logs are send correctly? There is no input_type: xml. Valid values for input_type are log and stdin only.

rajkamalkool6 · April 1, 2016, 7:11am

No after removing input_type: xml its working, by default its taking as log only.

steffens · April 1, 2016, 11:17am

input_type: xml doesn't exists. input_type is kind of the 'plugin'-type to use. As xml does not exist it will fall back for log.

rajkamalkool6 · April 1, 2016, 11:37am

Yes you are right

Topic		Replies	Views
Fail to use multiline input mode in filebeats Beats filebeat	2	391	January 6, 2020
Multiline logs are not working using filebeat Beats filebeat	1	507	November 19, 2021
Multiline pattern not working in filebeat input_type -filestream Kibana	6	297	July 10, 2022
Something wrong with multiline Beats filebeat	4	349	August 22, 2018
Filebeat - multiline: Ingest XML's without line feed at end of file Beats filebeat	7	3348	October 16, 2017

File beat multiline is not working for XML type of files

Related Topics