Filebeat multiline - entire log file published as 1 long event

Roy · August 11, 2017, 7:29am

Hi All,

I'm having an issue with filebeat multiline events.
All log file is being published as 1 long message.

My log lines looks like:
"GS category US severity..."

The GS is group seperator in unicode, and filebeat reads ir as "\u001d" and logstash receives it as "\u001D"

Config:

pattern: '^\u001|\u001D'
negate: true
match: after

If i'm changing the log to start lines with different seperator, for example "--".

And configuration:
pattern:'^--'
negate: true
match: after

Works perfect..

Can it be a filebeat bug that it can't recognize the GS seperator correctly, or maybe my pattern is incorrect?

Thanks,
Roy.

steffens · August 11, 2017, 3:21pm

hm.... I'm not sure \u will be correctly interpreted as unicode by the regex parser. Btw, is this correct: '^\u001|\u001D’ ? Shouldn't it say ^\u001d. As \u meens, interpret these number as unicode, there shouldn't be a difference between \u001d and \u001D. It's the json encoder sending \u001D I guess.

system · September 8, 2017, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure on file parsing Beats filebeat	8	1854	November 24, 2016
Filebeat 'multiline' multiline pattern Beats filebeat	4	1167	April 9, 2018
Filebeat Multiline Config Help Beats filebeat	2	259	September 26, 2020
Multi line pattern in filebeat Beats	3	450	November 4, 2020
Multiline and '\n' extra character Beats filebeat	2	3601	January 2, 2019

Filebeat multiline - entire log file published as 1 long event

Config:

Related topics