Discuss the Elastic Stack

Filebeat Parsing for Multiline including previous lines from the log

Elastic Stack Beats

abinashkd (Abinash Kumar Dalai) June 20, 2019, 9:55am 1

Hi,

I am trying to parse a log which have the context as below:

[2019-06-20 08:51:10]
Build ID: XXXXX
Build time: XXXXX
Application version: XXXXX
Category: XXXXX
Message: Nested Exception
StackTrace:

java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended
 XXXXXXXXXXXXXXXXXX

filebeat.yml file:

multiline.pattern: 'Build ID'
multiline.negate: true
multiline.match: after
multiline.max_lines: 10

How can I include the timestamp[2019-06-20 08:51:10] of the log in filebeat parsing i.e is there any way so that the previous line of pattern matching can be considered.

Thanks in advance.

Mario_Castro (Mario Castro) June 24, 2019, 8:55am 2

I'm afraid that or you add before the pattern or after, but you cannot add before and after the match.

You should try to match the timestamp and use the after match

system (system) Closed July 22, 2019, 8:55am 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Filebeat multiline equivalent of logstash "what" Beats filebeat	2	603	May 20, 2017
Help with Filebeat RegEx Match Beats filebeat	4	4749	July 5, 2017
Only Multiline lines that do match Beats filebeat	1	364	August 31, 2018
Filebeat Multiline Patterns not working for us Beats	11	5900	November 28, 2018
Filebeat multiline.pattern set up Beats filebeat	1	240	February 23, 2021

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.