Discuss the Elastic Stack

Filebeat Parsing for Multiline including previous lines from the log

Elastic Stack Beats

abinashkd (Abinash Kumar Dalai) June 20, 2019, 9:55am 1

Hi,

I am trying to parse a log which have the context as below:

[2019-06-20 08:51:10]
Build ID: XXXXX
Build time: XXXXX
Application version: XXXXX
Category: XXXXX
Message: Nested Exception
StackTrace:

java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended
 XXXXXXXXXXXXXXXXXX

filebeat.yml file:

multiline.pattern: 'Build ID'
multiline.negate: true
multiline.match: after
multiline.max_lines: 10

How can I include the timestamp[2019-06-20 08:51:10] of the log in filebeat parsing i.e is there any way so that the previous line of pattern matching can be considered.

Thanks in advance.

Mario_Castro (Mario Castro) June 24, 2019, 8:55am 2

I'm afraid that or you add before the pattern or after, but you cannot add before and after the match.

You should try to match the timestamp and use the after match

system (system) Closed July 22, 2019, 8:55am 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.