Hi Team,
I am using multiline.pattern in filebeat for parsing logs.
I am able parse the logs correctly on local lab servers, but when implemented the same on prod servers , multiple logs gets indexed as one event to elasticsearch for some source files,remaining source file logs are parsing correctly
I have given log path in filebeat as
- /opt/IBM/tivoli/netcool/PROD/cyientprobes/stream/DMS100/*.stream
and
multiline.pattern: ' ^\s{0,2}\d+\s\w+\s+\d+|^[*]+\s{0,2}\d{2}\s+\w+\s+\d+\s\w+'
log messages in one event indexed in kibana is as following:
'''
59 TELN120 2934 INFO Telnet Dis-Connection.
Node Name: CM Node Number: 0 Remote Node Address: 10.85.56.2
.
59 PM 981 2245 INFO IDT 44
TMC 2 - IsTb: Data Link up, PPS Link down
.
-
59 PM 128 2836 TBL ISTB IDT 48
FROM: ISTb Fault occurred on the channel
'''
Please, someone help me regarding this issue.
Thanks in advance
Pavani