I used the pattern pattern: '^\[.*\] PHP[[:space:]]+[[:digit:]]|^[^\'. The first part ^\[.*\] PHP[[:space:]]+[[:digit:]] captures traces (thanks to having a timestamp and having content PHP <digit>) and the second part (^[^\) collects all lines not beginning with '['.
Ahh almost prefect, that makes sense, I was using the wrong regex patterns. Turns out that \W and \d etc are not supported, that info was a little buried i the docs. but Im only getting the first line of the stack trace. Looks like I'll need to tweak the regex a bit, or use a different method on the multiline options.
I'm currently running filebeat as a windows service. I haven't tried this yet, but I wonder if I defined multiple windows services, which each run an instance of filebeat with it's own .yml file. That way, each yml file could direct filebeat to a specific log with a specific multiline pattern for it.