I am using Filebeat 8.7. I am trying to follow the instructions here:
I double checked the indentation. Cannot figure out what is wrong. I just want to make sure
a multi-line stack trace is captured into one document instead of one document indexed per line of the stack trace. I see there is an example for the stack trace but I want to make sure the simplest config is working before attempting a more complicated one.
This is the relevant portion of the filebeat.yml
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: filestream
id: ams-api
fields:
app_id: ams-api
paths:
- /opt/amsdev/logs/ams-api-logs/ams-api.log
parsers:
- multiline:
type: pattern
pattern: '\\$'
negate: false
match: before
- type: filestream
id: ams-cache-manager
fields:
app_id: ams-cache-manager
paths:
- /opt/amsdev/logs/ams-cache-manager-logs/ams-cache-manager.log
Error from journalctl:
Exiting: Failed to start crawler: starting input failed: error while initializing input: error while parsing multiline parser config: unknown matcher type: accessing 'filebeat.inputs.0.parsers.0.multiline' accessing 'filebeat.inputs.0' (source:'/etc/filebeat/filebeat.yml')","service.name":"filebeat","ecs.version":"1.6.0"