Filebeat multiline works only in pair with logstash

Hello.
Weird topic, but this is how see this problem.
So.
Currently we are parsing multiline on logstash side. I want to move multiline to filebeat.
Now.

1. I comment out
   codec => multiline {
   ...
   }
2. restart logstash
3. Add multiline to filebeat.
4. Restart filebeat.

Result. Does not work and in tags I see beats_input_codec_plain_applied

If I uncomment
codec => multiline {
...
}
and restart logstash

In tags I see lgs-multiline, beats_input_codec_multiline_applied
lgs-multiline is my special tag.

My question. Why with logstash codec => multiline filebeats, sort of, works but without it does not?

filebeat multiline config>

multiline.pattern: '^\d{4}-\d{2}-\d{2}[[:space:]]{1,4}\d{2}:\d{2}:\d{2}\.\d{2,4}\+\d{2,4}[[:space:]]{1,4}'
multiline.negate: true
multiline.max_lines: 9000
multiline.match: after

What is the right configuration for filebeat, in order to process multiline properly?

Hi @samdocker,

Could you give some more details on the real and expected output in both cases? An input example is also interesting to check the multiline pattern is correct.

Best regards

Thank you for quick answer.
I found problem.
Now it works.
But I spent 3-4 hours trying to understand what was the problem. But when I asked for help I managed to find solution by my self.

This topic was automatically closed after 21 days. New replies are no longer allowed.