Filebeat multiline with line breaks

amruthapbhat · June 2, 2017, 3:24pm

I have a file in the below format
Ex:

This is the first line.

This is the second line.
I am using no pattern since I want all the lines in the text to send to Logstash which is around 2000 lines.

If the file is in the below format it works.
Ex:

This is the first line.
This is the second line.
If the file is in the above format multiline works.

Could you please help me out with this.

exekias · June 5, 2017, 6:33am

Hi @amruthapbhat,

Could you please share your filebeat.yml settings? It should help diagnosing your issue

amruthapbhat · June 5, 2017, 6:48am

filebeat:
prospectors:

-
  paths:
    - /home/ubuntu/containers.d/*/*.log

  input_type: log

  document_type: syslog

  multiline:
    match: after
    max_lines: 2000

amruthapbhat · June 5, 2017, 6:58am

Hi @exekias,

Please find the above prospectors

exekias · June 5, 2017, 12:13pm

uhm, now I see this I'm wondering, what are you looking for?

Are you trying to send all lines in the same event? You don't need to set a multiline pattern to send all file lines, they will be sent one by one.

Could you please clarify what do you want to achieve?

amruthapbhat · June 5, 2017, 1:42pm

Hi @exekias,

I have a log file which could have around 1000 lines of content along with line breaks. i want to display the entire file as one event

amruthapbhat · June 5, 2017, 5:06pm

Hi @exekias,
The log files works correctly if there are no line breaks with the above configs. It displays the entire 1000 lines of content as a single log. The issue is when i have line breaks

exekias · June 6, 2017, 9:53am

I think you need to set a multiline pattern like this:

multiline.pattern: '.'

amruthapbhat · June 6, 2017, 10:59am

Hi @exekias,

i have given a link below where i have placed a sample log.

Link to the Dockerlog:

github.com

amruthapbhat/java-maven-junit-helloworld/blob/master/Dockerfile.log

Sending build context to Docker daemon 22.53 kB

Step 1/9 : FROM 96.118.23.36:8083/projects-vcmts/jessie-amd64:vcmts_pi04
 ---> 32b1211d6d21
Step 2/9 : RUN apt-get update; apt-get -y --force-yes  --no-install-recommends install adduser=3.113+nmu3 apt=1.0.9.8.4 apt-utils=1.0.9.8.4 base-files=8+deb8u8 base-passwd=3.5.37 bash=4.3-11+deb8u1 bsdmainutils=9.0.6 bsdutils=1:2.25.2-6 confd=6.0-16 confd-server=6.0-16 coreutils=8.23-4 cosm-cli=1.19-17 cosm-mon=1.2-898 cosm-pktc=1.0-133 cpio=2.11+dfsg-4.1+deb8u1 cron=3.0pl1-127+deb8u1 curl=7.38.0-4+deb8u5 dash=0.5.7-4+b1 debconf=1.5.56 debconf-i18n=1.5.56 debian-archive-keyring=2014.3 debianutils=4.4+b1 dh-python=1.20141111-2 diffutils=1:3.3-1+b1 dmeventd=2:1.02.90-2.2+deb8u1 dmidecode=2.12-3 dmsetup=2:1.02.90-2.2+deb8u1 dosfstools=3.0.27-1 dpkg=1.17.27 e2fslibs=1.42.12-2+b1 e2fsprogs=1.42.12-2+b1 expect=5.45-6 findutils=4.4.2-9+b1 gcc-4.8-base=4.8.4-1 gcc-4.9-base=4.9.2-10 gnupg=1.4.18-7+deb8u3 gpgv=1.4.18-7+deb8u3 grep=2.20-4.1 groff-base=1.22.2-8 gzip=1.6-4 hostname=3.15 ifupdown=0.7.53.1 init=1.22 init-system-helpers=1.22 initscripts=2.88dsf-59 insserv=1.14.0-5 iproute2=3.16.0-2 iptables=1.4.21-2+b1 iputils-ping=3:20121221-5+b2 isc-dhcp-client=4.3.1-6+deb8u2 isc-dhcp-common=4.3.1-6+deb8u2 isomd5sum=1:1.0.11-1 kmod=18-3 less=458-3 libacl1=2.2.52-2 libapr1=1.5.1-3 libaprutil1=1.5.4-1 libapt-inst1.5=1.0.9.8.4 libapt-pkg4.12=1.0.9.8.4 libattr1=1:2.4.47-2 libaudit-common=1:2.4-1 libaudit1=1:2.4-1+b1 libblkid1=2.25.2-6 libboost-chrono1.55.0=1.55.0+dfsg-3 libboost-iostreams1.55.0=1.55.0+dfsg-3 libboost-program-options1.55.0=1.55.0+dfsg-3 libboost-regex1.55.0=1.55.0+dfsg-3 libboost-system1.55.0=1.55.0+dfsg-3 libboost-thread1.55.0=1.55.0+dfsg-3 libbsd0=0.7.0-2 libbz2-1.0=1.0.6-7+b3 libc-bin=2.19-18+deb8u9 libc6=2.19-18+deb8u9 libcomerr2=1.42.12-2+b1 libcos-docsisutils=1.4-2 libcos-ipmi-ipc=1.2-0 libcosm-confd-cxx=1.0-24 libcosm-evt-agent=1.5-28 libcosm-ipdr-services=1.1-1 libcosmdp=1.9-3 libcosmpp=1.0-2 libcosredis=2.3-6 libcosrpc=1.3-6 libcrypto++9=5.6.1-6+deb8u3 libcurl3=7.38.0-4+deb8u5 libdb5.3=5.3.28-9 libdbus-1-3=1.8.22-0+deb8u1 libdbus-glib-1-2=0.102-1 libdevmapper-event1.02.1=2:1.02.90-2.2+deb8u1 libdevmapper1.02.1=2:1.02.90-2.2+deb8u1 libedit2=3.1-20140620-2 libestr0=0.1.9-1.1 libevent-2.0-5=2.0.21-stable-2+deb8u1 libexpat1=2.1.0-6+deb8u3 libffi6=3.1-2+b2 libgcc1=1:4.9.2-10 libgcp-mon-api=1.19-2 libgcrypt20=1.6.3-2+deb8u2 libgdbm3=1.8.3-13.1 libglib2.0-0=2.42.1-1+b1 libgmp10=2:6.0.0+dfsg-6 libgnutls-deb0-28=3.3.8-6+deb8u5 libgpg-error0=1.17-3 libgssapi-krb5-2=1.12.1+dfsg-19+deb8u2 libhiredis0.13=0.13.3-1.nsg.1 libhogweed2=2.7.1-5+deb8u2 libicu52=52.1-8+deb8u5 libidn11=1.29-1+deb8u2 libjson-c2=0.11-4 libk5crypto3=1.12.1+dfsg-19+deb8u2 libkeyutils1=1.5.9-5+b1 libkmod2=18-3 libkrb5-3=1.12.1+dfsg-19+deb8u2 libkrb5support0=1.12.1+dfsg-19+deb8u2 libldap-2.4-2=2.4.40+dfsg-1+deb8u3 liblocale-gettext-perl=1.05-8+b1 liblog4cxx10=0.10.0-4 liblogging-stdlog0=1.0.4-1 liblognorm1=1.0.1-3 liblvm2cmd2.02=2.02.111-2.2+deb8u1 liblzma5=5.1.1alpha+20120614-2+b3 libmount1=2.25.2-6 libmpdec2=2.4.1-1 libncurses5=5.9+20140913-1+b1 libncursesw5=5.9+20140913-1+b1 libnettle4=2.7.1-5+deb8u2 libnewt0.52=0.52.17-1+b1 libnsglogctl=1.0-35 libnsgsup=1.76-3 libp11-kit0=0.20.7-1 libpam-modules=1.1.8-3.1+deb8u2 libpam-modules-bin=1.1.8-3.1+deb8u2 libpam-runtime=1.1.8-3.1+deb8u2 libpam0g=1.1.8-3.1+deb8u2 libpci3=1:3.2.1-3 libpcre3=2:8.35-3.3+deb8u4 libperl5.20=5.20.2-3+deb8u6 libpipeline1=1.4.0-1 libpopt0=1.16-10 libpq5=9.4.12-0+deb8u1 libpqxx-4.0=4.0.1+dfsg-3 libprocps3=2:3.3.9-9 libpython-stdlib=2.7.9-1 libpython2.7-minimal=2.7.9-2+deb8u1 libpython2.7-stdlib=2.7.9-2+deb8u1 libpython3-stdlib=3.4.2-2 libpython3.4-minimal=3.4.2-1 libpython3.4-stdlib=3.4.2-1 librabbitmq1=0.5.2-2 libreadline5=5.2+dfsg-2 libreadline6=6.3-8+b3 librtmp1=2.4+20150115.gita107cef-1+deb8u1 libsasl2-2=2.1.26.dfsg1-13+deb8u1 libsasl2-modules-db=2.1.26.dfsg1-13+deb8u1 libselinux1=2.3-2 libsemanage-common=2.3-1 libsemanage1=2.3-1+b1 libsensors4=1:3.3.5-2 libsepol1=2.3-2 libsigc++-2.0-0c2a=2.4.0-1 libslang2=2.3.0-2 libsmartcols1=2.25.2-6 libsnmp-base=5.7.2.1+dfsg-1 libsnmp30=5.7.2.1+dfsg-1 libsqlite3-0=3.8.7.1-1+deb8u2 libss2=1.42.12-2+b1 libssh2-1=1.4.3-4.1+deb8u1 libssl1.0.0=1.0.1t-1+deb8u6 libstdc++6=4.9.2-10 libtasn1-6=4.2-3+deb8u3 libtcl8.6=8.6.2+dfsg-2 libtext-charwidth-perl=0.04-7+b3 libtext-iconv-perl=1.7-5+b2 libtext-wrapi18n-perl=0.06-7 libthrift0=0.9.2-0.py3.9 libtinfo5=5.9+20140913-1+b1 libudev1=215-17+deb8u7 libusb-0.1-4=2:0.1.12-25 libustr-1.0-1=1.0.4-3+b2 libuuid1=2.25.2-6 libwrap0=7.6.q-25 libxml2=2.9.1+dfsg1-5+deb8u4 libxslt1.1=1.1.28-2+deb8u3 libxtables10=1.4.21-2+b1 locales=2.19-18+deb8u9 login=1:4.2-3+deb8u4 logrotate=3.8.7-1+b1 lsb-base=4.1+Debian13+nmu1 lvm2=2.02.111-2.2+deb8u1 man-db=2.7.0.2-5 manpages=3.74-1 mawk=1.3.3-17 mime-support=3.58 mount=2.25.2-6 multiarch-support=2.19-18+deb8u9 nano=2.2.6-3 ncurses-base=5.9+20140913-1 ncurses-bin=5.9+20140913-1+b1 net-tools=1.60-26+b1 netbase=5.3 netcat-traditional=1.1

This file has been truncated. show original

Please let me know if there is any pattern to combine all the lines into one event

steffens · June 7, 2017, 10:04am

Have you tried the multiline tester link from our docs? e.g. setting the regex pattern to ^.|^$ does help: https://play.golang.org/p/fsNzzM8bHA

system · June 23, 2017, 3:32pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Logs with lime breaks not working with multiline Beats	6	760	June 6, 2017
Filebeat multiline configuration issue Beats filebeat	2	625	March 8, 2018
Multiline \| Not even working Beats filebeat	3	757	November 3, 2017
Filebeat multiline Pattern on Apache Logs does not work as expected (Filebeat -> Logstash -> ES) Beats filebeat	3	373	May 5, 2022
Multiline Pattern not Working Beats filebeat	1	516	October 7, 2019

Filebeat multiline with line breaks

Related topics