Hi,
I'm a bit stumped trying to determine why this config using old-style multine.*
conf values works :
filebeat.inputs:
- type: stdin
id: multi-line-log-ex
close_eof: true
enabled: true
multiline.pattern : '^\d'
multiline.negate : true
multiline.match : after
output.console:
pretty: true
But this one using the new parsers config does not:
filebeat.inputs:
- type: stdin
id: multi-line-log-ex
close_eof: true
enabled: true
parsers:
- multiline:
type: pattern
pattern: '^\d'
negate: true
match: after
output.console:
pretty: true
It could be some kind of YAML indentation issue but the documentation does not help as is doesn't provide complete YAML files, only snippets.
There's also not much in the FileBeat logs to indicate what it has or has not understood about the config file. Some kind of flag that would dump the configuration, as understood and parsed into the FileBeat logs would be a godsend. Or maybe the test config
option could dump the whole config instead of just "Config OK"...
For reference here is a sample log:
2010-04-10T21:40:03.625Z|| Some message
2010-04-10T21:41:03.625Z|| foo - Exception occurred
Exception details
at foo(foo.java):92
at bar(bar.java):18
2010-04-10T21:42:03.625Z|| Another message
And the command line I'm using the test it out (Docker on Windows, so you may need to change paths etc.)
cat .\logs\sample.log | docker run -i --rm -v "${PWD}\filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" docker.elastic.co/beats/filebeat:8.11.1 run --once --strict.perms=false -e
Cheers,
Adam