Hi @fgjensen ,
After encountering the same issue and wasting some hours on it, I managed to debug the issue thanks to the fact that filebeat is opensource.
Basically, the error says "unknown matcher type: ". After ':', the code places the value found for multiline.match. As in my case, this space is blank, which means the parsers in unable to find the value specified in the configuration.
There are 2 workarounds to this:
- the one you mentioned where you specifically type multiline.match
- indent all entries under the multiline statements (and this is actually where the documentation is wrong). Instead of looking like this:
filebeat.inputs:
- type: filestream
enabled: true
paths:
- /root/21.log
parsers:
- multiline:
type: pattern
pattern: ^([\d-]{8,10} [\d:.]{8,12})
it should look like this
filebeat.inputs:
- type: filestream
enabled: true
paths:
- /root/21.log
parsers:
- multiline:
type: pattern
pattern: ^([\d-]{8,10} [\d:.]{8,12})