Filebeat multinline don't work

Exdar · March 18, 2024, 6:46pm

Hi all.
I have a problem with filebeat multinline

filebeat.yml Input

- type: log
  id: onetest
  enabled: true
  tags: ["onetest"]
  parsers:
    - multinline:
      type: pattern
      pattern: '(\d\d:\d\d)\.(\d+)-(\d+)'
      negative: true
      match: after
  paths:
   - c:/Test/MyLog/*.log

input.conf in logstash

match => { "message" => "Sql=[\"\']%{INSIDEQUOTES:sql_text}[\"\']" }
INSIDEQUOTES ([^"']*)

example log file:

01:42.205063-2186916,EXCPCNTX,4,Sql="SELECT TOP 30
CASE WHEN (T1._Fld16574_TYPE = 0x08 AND ..."

But in console output I got:

"message" => "CASE WHEN (T1._Fld16574_TYPE = 0x08 AND

Filebeat splits a logical line into multiple lines, as if the pattern doesn't work. In grok debugger all works great.

rtwolfe94022 · March 19, 2024, 3:28am

Your Filebeat multiline configuration has a typo: it should be multiline instead of multinline . Correct this and ensure your pattern matches the beginning of your log messages. Restart Filebeat after making these changes to apply them.

system · April 16, 2024, 5:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.