Hello,
i am using dissect processor to parse a multiline log.
i got the error dissect_parsing_error, i think it s because of the \n.
Do you have any idea where i can find any exemple of filebeat dissect for multiline.
Thank you.
Hi!
One starting point could be the docs: Dissect strings | Filebeat Reference [7.12] | Elastic
Hi, thanks for your answer.
I looked into the doc but i didnt find an exemple how to deal with the line break !
All right, since you have multiline logs do you also use multiline options so as to congest the lines into one first?
I think that first you will need to handle the multiline lines and then apply the processor on top of it. Sth like this -> beats/log.yml at 83f248e3eff044d7785efca79de138d70ee81b4c · elastic/beats · GitHub
Yes , i already configured the multiline, i have the field message in this format
"id : x
time : x
user : x"
tried to match it with :
- dissect:
tokenizer: '"id : %{id}\ntime : %{time}\nuser : %{user}"'
field: "message"
target_prefix: ""
but i am having dissect_parsing_error
I see...I'm not sure if tokenizer can work with this new_line thing included. How about using Script Processor | Filebeat Reference [7.12] | Elastic so as to have more flexibility to handle the message?
Thank you for your answer, i fixed the issue using tokenizer,
juste deleted the single quote
tokenizer: "id : %{id}\ntime : %{time}\nuser : %{user}"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.