Hi ,
i'm using filebeat version 5.3.1 with the following configuration:
filebeat.prospectors:
- paths: ["/logs/*.stdout.0"]
output.elasticsearch:
hosts: ["${es_url}"]
multiline.pattern: '^(?:Jan?|Feb?|Mar?|Apr?|May|Jun?|Jul?|Aug?|Sep?|Oct?|Nov?|Dec?)'
multiline.negate: true
multiline.match: after
output.console:
pretty: true
The target log file has the following entries:
Apr 24, 2017 10:24:20.011 PM [org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry:543]
INFO: Mapped "{[/admin/heapdump || /admin/heapdump.json],methods=[GET],produces=[application/octet-stream]}" onto public void org.springframework.boot.actuate.endpoint.mvc.HeapdumpMvcEndpoint.invoke(boolean,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws java.io.IOException,javax.servlet.ServletException
I would expect to see a single event being generated , but filebeat issue 2 events instead of one:
{
"@timestamp": "2017-04-24T22:24:25.787Z",
"beat": {
"name": "filebeat",
"version": "5.3.1"
},
"input_type": "log",
"message": "Apr 24, 2017 10:24:20.029 PM [org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry:543]",
"offset": 14630,
"source": "/alloc/logs/app-dev.stdout.0",
"tags": [
"filebeat"
],
"type": "log"
}
{
"@timestamp": "2017-04-24T22:24:25.787Z",
"beat": {
"name": "filebeat",
"version": "5.3.1"
},
"input_type": "log",
"message": "INFO: Mapped \"{[/admin/env/{name:.*}],methods=[GET],produces=[application/vnd.spring-boot.actuator.v1+json || application/json]}\" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EnvironmentMvcEndpoint.value(java.lang.String)",
"source": "/alloc/logs/app-dev.stdout.0",
"tags": [
"filebeat"
],
"type": "log"
}
I also used the playground at https://play.golang.org/p/uAd5XHxscu
to test the multiline pattern.
Thank so much for your input.