I've read the multiline documentation so many times now, I am seeing triple.
Our logs are in JSON format and stack traces appear like the example below. When using hints based autodiscovery, is this the correct syntax to use?
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
multiline.type: pattern
multiline.pattern: '[[:space:]]'
multiline.negate: false
multiline.match: after
json.overwrite_keys: true
json.keys_under_root: true
json.add_error_key: true
Example log with Java stack trace:
{"@timestamp":"2020-08-18T16:43:13.397Z", "log.level":"ERROR", "message":"Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException] with root cause", "service.name":"muy-cool-app","process.thread.name":"http-nio-5000-exec-5","log.logger":"org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet]","log.origin":{"file.name":"DirectJDKLog.java","function":"log","file.line":181},"error.type":"java.lang.NullPointerException","error.stack_trace":[
"java.lang.NullPointerException",
"\tat com.specialized.v2.api.serialnumber.SerialNumberUpload.upload(SerialNumberUpload.java:55)",
"\tat com.specialized.v2.api.serialnumber.SerialNumberUploadController.serialNumberUpload(SerialNumberUploadController.java:36)",
Even the most basic examples (any line that is not the start of an object) aren't collapsing. I've tried several different match patterns in the Go playground and they pass, which makes me think I'm simply not using it correctly in my Filebeat config. I'm confused by the co.elastic.logs/multiline.pattern
syntax I see sometimes.
Any help here would be greatly appreciated, I am at my wit's end trying to collapse these stack traces. Currently on 7.9.0.