Filebeat multiline configuration issue

zozo6015 · February 7, 2018, 10:29pm

Hello,

I am trying to parse a java log file using filebeat with multiline. The filebeat.yml looks like this:

filebeat.prospectors:
  - type: log
    enabled: true
   paths:
     - /home/jetty/logs/*.log
   tags: ["jetty"]
   fields_under_root: true
   fields:
      service: jetty
   multiline.pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M
   multiline.negate: true
   multiline.match: after
   multiline.flush_pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M

in logstash I am getting everything in one message and files are not split up in different packets following the multiline.pattern rule. As in the following example:

https://pastebin.com/MqxrB4TY

Any suggestion?

Thanks in advance

steffens · February 8, 2018, 11:45pm

I don't really understand. Is the problem with multiline or do you want help with parsing?

What exactly does your input look like? How do you want your output to look like?

The pastebin seems to suggest that you basically send the complete file's contents as one event to logstash. This correct? Why not have filebeat send the single log lines as events?

system · March 8, 2018, 11:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat multiline with line breaks Beats	10	2546	June 23, 2017
Filebeat multiline works as single liners Beats filebeat	2	581	March 4, 2019
Multiline Pattern not Working Beats filebeat	1	516	October 7, 2019
Multiline Parsing Beats filebeat	2	599	October 24, 2017
Multiline Pattern - Filebeat Beats filebeat	10	1111	October 14, 2019

Filebeat multiline configuration issue

Related topics