Filebeat multiline configuration issue

zozo6015 · February 7, 2018, 10:29pm

Hello,

I am trying to parse a java log file using filebeat with multiline. The filebeat.yml looks like this:

filebeat.prospectors:
  - type: log
    enabled: true
   paths:
     - /home/jetty/logs/*.log
   tags: ["jetty"]
   fields_under_root: true
   fields:
      service: jetty
   multiline.pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M
   multiline.negate: true
   multiline.match: after
   multiline.flush_pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M

in logstash I am getting everything in one message and files are not split up in different packets following the multiline.pattern rule. As in the following example:

https://pastebin.com/MqxrB4TY

Any suggestion?

Thanks in advance

steffens · February 8, 2018, 11:45pm

I don't really understand. Is the problem with multiline or do you want help with parsing?

What exactly does your input look like? How do you want your output to look like?

The pastebin seems to suggest that you basically send the complete file's contents as one event to logstash. This correct? Why not have filebeat send the single log lines as events?

system · March 8, 2018, 11:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.