Hi,
I am trying to fix a issue in the filebeat configuration file where it adds newline to the parsed logs and forwards to graylog/ES. I want the log to be in single line rather than multiple line. Even if the file(access.log) contains multi-line as the input I want to make the file to be single line removing any carriage return and merge to a single line. I am not sure how the multi-line lines are matching in this case as the regex is checking the | and there is no input with date format? Can anyone provide any clue/help?
filebeat.yml
- type: log
enabled: 'true'
paths:- "/var/log/nginx/access.log"
multiline.pattern: "^[0-9]{4}-[0-9]{2}-[0-9]{2}|[A-Z][a-z]{2} [0-9]{2}, [0-9]{4}"
multiline.negate: 'true'
multiline.match: after
fields:
test.environmentname: testprod
fields_under_root: true
- "/var/log/nginx/access.log"
Input
ID: 253443
Address: http://192.168.0.1:8181/broadcast/?test=test1&=
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[application/json]}
Expected output
ID: 253443 Address: http://192.168.0.1:8181/broadcast/?test=test1&= Encoding: UTF-8 Http-Method: POST Content-Type: application/json Headers: {Accept=[application/json]
Regards
Pradeep