Filebeat multiline works as single liners

ep4sh · February 4, 2019, 1:55pm

I have 2 inputs with multiline logs.
And expected working logstash:
First:

            codec => multiline {
                    pattern => "^\d"
                    negate => true
                    what => previous
            }

Second:

  codec => multiline {
  	pattern => "^\["
  	negate => true
  	what => previous
  }

Trying to move this logic to Filebeat:

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/app_access.log
    fields:
      type: accessLog
    fields_under_root: true
  - type: log
    enabled: true
    paths:
      - /var/log/app.log
    fields:
      type: applicationLog
    fields_under_root: true
multiline.pattern: ['^\[', '^\d' ]
multiline.negate:   true
multiline.match:    after

But when I generate some logs (with simple bash echo) - I see many indexed docs instead of 1 with multiple strings. Multiline doesn't work properly, but all fields match the template.
I tried doc example:

echo "[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)" >> /var/log/app.log;

Q1: What I do wrong?
Q2: May I have multiline in each input?

ep4sh · February 4, 2019, 4:03pm

The indentation was incorrect for multiline
Correct example:

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/app_access.log
    fields:
      type: accessLog
    fields_under_root: true
    multiline.pattern: '^\d'
    multiline.negate:   true
    multiline.match:    after
  - type: log
    enabled: true
    paths:
      - /var/log/app.log
    fields:
      type: applicationLog
    fields_under_root: true
    multiline.pattern: '^\['
    multiline.negate:   true
    multiline.match:    after

system · March 4, 2019, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.