Filebeat multiline patterns not working

lalu · May 19, 2016, 6:37pm

filebeat v1.2.2 (64 bit)
OS: centos 6.7

multiline: --> patterns: --> '-' --> pattern: (not working)
multiline: --> pattern: (working)

Found detail here:
(Enhanced LS Config)
https://github.com/elastic/filebeat/issues/301

Is this supposed to work or feature not available yet.

ruflin · May 20, 2016, 6:35am

Multline support is part of the 1.2 release. The docs can be found here: https://www.elastic.co/guide/en/beats/filebeat/1.2/configuration-filebeat-options.html#multiline

I'm not sure what you mena with your patterns / pattern above?

steffens · May 20, 2016, 9:30am

please add some sample logs you want to merge + regex you've configured. I can't even tell what you're trying to do.

lalu · May 20, 2016, 5:43pm

steffens · May 23, 2016, 10:14am

You've got text instead of pictures. Here is a script to test your regexes, but I'm not too keen to type out all these pictures.

Put text in between 3 backticks '`' or use the </> button on inserted text in order to code-format your text.

lalu · May 23, 2016, 11:13am

I just want to know that the feature is available in Filebeat? The feature I mean more then one pattern in multiline.

lalu · May 23, 2016, 11:38am

Thanks Steffen for your trick for formating.

multiline:
  pattern: '^Encore.DMS.Svc-'
  negate: true
  match: after

This above config works for me for single condition, but not sure about more then one condition like I wrote below.

multiline:
  patterns:
    -
      pattern: '^Encore.DMS.Svc-'
      negate: true
      match: after
    -
      pattern: '^Encore.DMS.Svc-\.*RESPONSE:'
      negate: false
      match: after

steffens · May 23, 2016, 12:25pm

multiple conditions are not supported yet. But one can use the | (OR-)regex operator in in pattern.

lalu · May 23, 2016, 5:52pm

Log content in proper format:

Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:246|AgentFirstName : 
Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:315|REQUEST:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body ...>
    <h2h-dms-request xmlns=...>
	...
    </h2h-dms-request>
  </s:Body>
</s:Envelope>
Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:730|RESPONSE:
<soapenv:Envelope ...>
  <s:Header xmlns:s=... />
  <soapenv:Body>
    <xrsi:h2h-dms-reply xmlns:xrsi=...>
	...
    </xrsi:h2h-dms-reply>
  </soapenv:Body>
</soapenv:Envelope>
Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:730|Return value:
Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:731|	
Encore.DMS.Svc-6.2-0-1000013856-INFO|08:08:30:731|Code : 000

lalu · May 23, 2016, 5:56pm

Thanks for your help.
I already have this config and it is working as expected.

multiline:
  pattern: '(^Encore.DMS.Svc-)|(^Encore.DMS.Web-)|(^Encore.DASMonitor-)'
  negate: true
  match: after

But for my last condition I need to negate inside the regex. Which I think is not allowed or will not work because negate handled in separate line like "negate: true".
"! (^Encore.DMS.Svc-\.*RESPONSE:)"
Something like above can be doable or any other way this can be achieved in Filebeat?

steffens · May 24, 2016, 8:53pm

Do I understand you correctly? You just want to merge REQUEST plus RESPONSE attributes?

Check out this solution: https://play.golang.org/p/IS8wDp1h6F
Regex is ^([[:space:]]|<|(.*\|){2}RESPONSE)
First sub-term matches a string starting with whitespace, the second sub-term matches a line starting with < and the third subfilter matches ... | ... |RESPONSE without even checking the content of the columns.