Filebeat multiline works only in pair with logstash

samdocker · January 26, 2018, 12:42pm

Hello.
Weird topic, but this is how see this problem.
So.
Currently we are parsing multiline on logstash side. I want to move multiline to filebeat.
Now.

I comment out
codec => multiline {
...
}
restart logstash
Add multiline to filebeat.
Restart filebeat.

Result. Does not work and in tags I see beats_input_codec_plain_applied

If I uncomment
codec => multiline {
...
}
and restart logstash

In tags I see lgs-multiline, beats_input_codec_multiline_applied
lgs-multiline is my special tag.

My question. Why with logstash codec => multiline filebeats, sort of, works but without it does not?

filebeat multiline config>

multiline.pattern: '^\d{4}-\d{2}-\d{2}[[:space:]]{1,4}\d{2}:\d{2}:\d{2}\.\d{2,4}\+\d{2,4}[[:space:]]{1,4}'
multiline.negate: true
multiline.max_lines: 9000
multiline.match: after

What is the right configuration for filebeat, in order to process multiline properly?

exekias · January 26, 2018, 1:34pm

Hi @samdocker,

Could you give some more details on the real and expected output in both cases? An input example is also interesting to check the multiline pattern is correct.

Best regards

samdocker · January 26, 2018, 2:18pm

Thank you for quick answer.
I found problem.
Now it works.
But I spent 3-4 hours trying to understand what was the problem. But when I asked for help I managed to find solution by my self.

system · February 16, 2018, 12:42pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Filebeat multiline codec not working in my case Beats filebeat	3	3829	June 6, 2017
Filebeat multiline works as single liners Beats filebeat	2	581	March 4, 2019
Filebeat with multiline vs. multiline logstash codec Beats filebeat	8	4510	July 5, 2017
Is Logstash beats input with multiline codec allowed or not? Logstash	3	1042	November 18, 2021
Multiline codec in input Logstash	3	1139	July 6, 2017

Filebeat multiline works only in pair with logstash

Related Topics