Filebeat Inserts \t in place of tabs

sghosh · May 5, 2016, 1:58am

Hi All,

I am trying to ship logs from servers via filebeat. I faced an issue like this:

Whenever FB forwards log events to remote LS it inserts the literal string \t in place of tab characters. This messes up the logstash grok filters. I have just printed to a file via LS whatever FB gives to it. I noticed the above behavior from this file only. A sample message received by LS would be

"{"message":"2016-05-05 01:44:44,487 INFO [d7d91583-a5f0-4613-ab16-2c9eb4ec69ab] [org.restlet.SpringComponent.LogService] - 2016-05-05\t01:44:44\t192.168.188.101\tsample-api-xY.Sec.re$#@6-FANtasTIC898\t192.168.188.101\t443\tGET\t/api/service\t-\t200\t317\t0\t353\thttps://api.sample.com\tsample-sdk-java/0.1 Linux/2.6.32-573.el6.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.72-b15\t-"

As you can see there are a lot of \t characters.

My FB config has the following multiline config:

multiline:
pattern : "^%{TIMESTAMP_ISO8601}"
negate: true
match: after

encoding: utf-8

Any hints where should i be looking at ?

magnusbaeck · May 8, 2016, 8:18pm

In JSON, tab characters are represented by \t so Filebeat isn't doing anything wrong. I'd say the problem is with your grok filter.

sghosh · May 8, 2016, 9:48pm

Thanks.. got it.. Fixed the grok. One more question: If there are too many
new lines I am getting multiline error. This is okay but the second part of
the truncated multiline event is not getting dropped. It is being treated
as a separate event nd causing grokparse failure. Any idea how to deal with
it?

magnusbaeck · May 9, 2016, 5:55am

Please give an example of some input lines that aren't correctly joined to a single event.