Filebeat parsing issue

Hi,

I am trying to fix a issue in the filebeat configuration file where it adds newline to the parsed logs and forwards to graylog/ES. I want the log to be in single line rather than multiple line. Even if the file(access.log) contains multi-line as the input I want to make the file to be single line removing any carriage return and merge to a single line. I am not sure how the multi-line lines are matching in this case as the regex is checking the | and there is no input with date format? Can anyone provide any clue/help?

filebeat.yml

  • type: log
    enabled: 'true'
    paths:
    • "/var/log/nginx/access.log"
      multiline.pattern: "^[0-9]{4}-[0-9]{2}-[0-9]{2}|[A-Z][a-z]{2} [0-9]{2}, [0-9]{4}"
      multiline.negate: 'true'
      multiline.match: after
      fields:
      test.environmentname: testprod
      fields_under_root: true

Input

ID: 253443
Address: http://192.168.0.1:8181/broadcast/?test=test1&=
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[application/json]}

Expected output

ID: 253443 Address: http://192.168.0.1:8181/broadcast/?test=test1&= Encoding: UTF-8 Http-Method: POST Content-Type: application/json Headers: {Accept=[application/json]

Regards
Pradeep

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.