Filebeat multiline works only in pair with logstash

samdocker · January 26, 2018, 12:42pm

Hello.
Weird topic, but this is how see this problem.
So.
Currently we are parsing multiline on logstash side. I want to move multiline to filebeat.
Now.

I comment out
codec => multiline {
...
}
restart logstash
Add multiline to filebeat.
Restart filebeat.

Result. Does not work and in tags I see beats_input_codec_plain_applied

If I uncomment
codec => multiline {
...
}
and restart logstash

In tags I see lgs-multiline, beats_input_codec_multiline_applied
lgs-multiline is my special tag.

My question. Why with logstash codec => multiline filebeats, sort of, works but without it does not?

filebeat multiline config>

multiline.pattern: '^\d{4}-\d{2}-\d{2}[[:space:]]{1,4}\d{2}:\d{2}:\d{2}\.\d{2,4}\+\d{2,4}[[:space:]]{1,4}'
multiline.negate: true
multiline.max_lines: 9000
multiline.match: after

What is the right configuration for filebeat, in order to process multiline properly?

exekias · January 26, 2018, 1:34pm

Hi @samdocker,

Could you give some more details on the real and expected output in both cases? An input example is also interesting to check the multiline pattern is correct.

Best regards

samdocker · January 26, 2018, 2:18pm

Thank you for quick answer.
I found problem.
Now it works.
But I spent 3-4 hours trying to understand what was the problem. But when I asked for help I managed to find solution by my self.

system · February 16, 2018, 12:42pm

This topic was automatically closed after 21 days. New replies are no longer allowed.