Filebeat and Multiline Problem

Elastic Stack Beats
1

Hi,

I'm using Filbeat 1.2.3 on Windows and seeing a problem with multiline and would appreciate someone pointing out what I must be doing wrong.

I'm sending my Filebeat events to Logstash. Here are the relevant configs:-

Filebeat target file content:

lineone
linetwo
linethree
linefour
linefive

Filebeat.yml

filebeat:
prospectors:
-
input_type: log
paths:
- "E:/target/*.txt"

multiline:
pattern: 'linethree'
match: before

logging:
files:
rotateeverybytes: 10485760

output:
logstash:
hosts: ["xxxxxx:6379"]
index: filebeat

Logstash config file:

input {

beats {
	port => 6379
}

}
filter {
# Filters go here as required

}

output {

stdout {

    codec => rubydebug
}

}

What I get (on the Logstash stdout):
{
"message" => "linetwo",
"@version" => "1",
"@timestamp" => "2016-08-24T13:41:13.849Z",
"count" => 1,
"fields" => nil,
"beat" => {
"hostname" => "xxxxxx",
"name" => "xxxxxx"
},
"type" => "log",
"input_type" => "log",
"offset" => 32574,
"source" => "E:\target\sampledata.txt",
"host" => "xxxxxx",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
{
"message" => "linethree",
"@version" => "1",
"@timestamp" => "2016-08-24T13:41:13.849Z",
"type" => "log",
"fields" => nil,
"source" => "E:\target\sampledata.txt",
"offset" => 32583,
"input_type" => "log",
"count" => 1,
"beat" => {
"hostname" => "xxxxxx",
"name" => "xxxxxx"
},
"host" => "xxxxxx",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
{
"message" => "linefour",
"@version" => "1",
"@timestamp" => "2016-08-24T13:41:13.849Z",
"count" => 1,
"type" => "log",
"input_type" => "log",
"source" => "E:\target\sampledata.txt",
"offset" => 32594,
"fields" => nil,
"beat" => {
"hostname" => "xxxxxx",
"name" => "xxxxxx"
},
"host" => "xxxxxx",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
{
"message" => "linefive",
"@version" => "1",
"@timestamp" => "2016-08-24T13:41:13.849Z",
"source" => "E:\target\sampledata.txt",
"offset" => 32604,
"type" => "log",
"input_type" => "log",
"count" => 1,
"beat" => {
"hostname" => "xxxxxx",
"name" => "xxxxxx"
},
"fields" => nil,
"host" => "xxxxxx",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}

My question, is why is line three "linethree" not being appended to line two "linetwo"? Is that not what should happen?

2

can you correctly format (use </> button) the config files? YAML (the config file format) is sensitive to indentation and characters used. It seems multiline is not applied at all, which might a problem due to faulty intendation (use 2 spaces per level + no tabs).

1 Like
3

@steffens
Thank you - yes, it was a broken line in the YAML. All working now :slight_smile:

4

This topic was automatically closed after 21 days. New replies are no longer allowed.