Filebeat multiline configuration issue

zozo6015 · February 7, 2018, 10:29pm

Hello,

I am trying to parse a java log file using filebeat with multiline. The filebeat.yml looks like this:

filebeat.prospectors:
  - type: log
    enabled: true
   paths:
     - /home/jetty/logs/*.log
   tags: ["jetty"]
   fields_under_root: true
   fields:
      service: jetty
   multiline.pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M
   multiline.negate: true
   multiline.match: after
   multiline.flush_pattern: ^[A-Z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A,P]M

in logstash I am getting everything in one message and files are not split up in different packets following the multiline.pattern rule. As in the following example:

https://pastebin.com/MqxrB4TY

Any suggestion?

Thanks in advance

steffens · February 8, 2018, 11:45pm

I don't really understand. Is the problem with multiline or do you want help with parsing?

What exactly does your input look like? How do you want your output to look like?

The pastebin seems to suggest that you basically send the complete file's contents as one event to logstash. This correct? Why not have filebeat send the single log lines as events?

system · March 8, 2018, 11:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline Parsing Beats filebeat	2	637	October 24, 2017
Filebeat 6.1.1 multiline is not working Beats filebeat	13	2471	February 21, 2018
Filebeat multiline assistance Beats filebeat	4	2138	January 16, 2019
Filebeat Multiline Logger Issues Beats filebeat	3	324	July 26, 2018
Filebeat and Multiline Problem Beats filebeat	3	1213	September 14, 2016

Filebeat multiline configuration issue

Related topics