Filebeat Multiline Start End pattern

Elastic Stack Beats
1

Hello Team,

I have to parse following log content using filebeat-multiline feature.
Log file:
Start value1

End completed
other data

Start Value1

End completed

i want to capture the multline start with 'Start value1' End with 'End completed' and send as single event to Kafka(output plugin)
Otherdata to be considered line by line and send to kafka

i could not see any example of start/stop with combination of Multilline
i also found, this feature to be implemented (as per 2016 queries)
is the above feature available in Filebeat-multiline?
if yes, could you please share examples

2

hi @kishore419, does this help in your case ?https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html#_application_events.
The pattern option specifies the beginning of an event, the flush_pattern option will specify the end or last line of the event.

3

@MarianaD Thanks for Quick Reply. But this is not working as expected.
can you please help

Log line:
Start
value 1
value2
End
Value3
value4

filbeat condition:

multiline.pattern: 'Start'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End'

Expected Output:
Event 1:
Start
value 1
value2
End
Event 2:
value 3
Event 3:
value 4

Actual Output:
Event 1:
Start
value 1
value2
End
Value3
value4

4

@MarianaD

Same requirement and problem.

My output:

Event1:
Start
1
2
End

Event 2:
3
4

Expect output:

Event1:
START
1
2
END

event2
3

event3
4

Why 3 and 4 are include in one event? They're not incompatible multiline pattern and flush_pattern。3 and 4 should individually by itself.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.