Filebeat multinline don't work

Exdar · March 18, 2024, 6:46pm

Hi all.
I have a problem with filebeat multinline

filebeat.yml Input

- type: log
  id: onetest
  enabled: true
  tags: ["onetest"]
  parsers:
    - multinline:
      type: pattern
      pattern: '(\d\d:\d\d)\.(\d+)-(\d+)'
      negative: true
      match: after
  paths:
   - c:/Test/MyLog/*.log

input.conf in logstash

match => { "message" => "Sql=[\"\']%{INSIDEQUOTES:sql_text}[\"\']" }
INSIDEQUOTES ([^"']*)

example log file:

01:42.205063-2186916,EXCPCNTX,4,Sql="SELECT TOP 30
CASE WHEN (T1._Fld16574_TYPE = 0x08 AND ..."

But in console output I got:

"message" => "CASE WHEN (T1._Fld16574_TYPE = 0x08 AND

Filebeat splits a logical line into multiple lines, as if the pattern doesn't work. In grok debugger all works great.

rtwolfe94022 · March 19, 2024, 3:28am

Your Filebeat multiline configuration has a typo: it should be multiline instead of multinline . Correct this and ensure your pattern matches the beginning of your log messages. Restart Filebeat after making these changes to apply them.

system · April 16, 2024, 5:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline logs are not working using filebeat Beats filebeat	1	507	November 19, 2021
Multiple 'Multiline' blocks in same filebeat.yml - Filebeats Beats filebeat	3	4516	February 25, 2020
How can set multiline in filebeat Beats filebeat	4	164	June 6, 2024
Multiline does not append the lines Beats filebeat	3	149	March 18, 2024
Filebeat can't manage multiline message with office example Beats filebeat	1	122	May 14, 2024

Filebeat multinline don't work

Related Topics