Hey, I'm using Filebeat 6.1.1 on a number of Linux hosts. I'm prospecting apt-get logs, which look like this usually
Start-Date: 2018-01-03 20:45:26
Commandline: /usr/bin/apt-get -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold dist-upgrade
Upgrade: linux-image-4.9.0-4-amd64:amd64 (4.9.65-3, 4.9.65-3+deb9u1)
End-Date: 2018-01-03 20:45:38
Unfortunately in cases where "End-Date" occurs more than a few seconds after "Start-Date" something times out and the End-Date line gets punted into a separate event. Which ends up looking like this
That's bad. So I attempted to boost the multiline timeout but for some reason this didn't help matters at all. The apt-get and multiline stanza in my filebeat.yml config file currently looks like this.
- input_type: log
paths:
- /var/log/apt/history.log
fields:
type: apt
multiline.pattern: Start-Date
multiline.negate: true
multiline.match: after
multiline.flush_pattern: End-Date
timeout: 60
How should I fix this? Everything I've read online suggests that if you're willing to sacrifice latency by boosting 'the timeout' then this should work. But it doesn't. Is it the wrong timeout? I'm out of ideas