Filebeat prospector_format

Josh_Vj · May 29, 2018, 2:47am

Hi, i have below settigs in filebeat.yaml
type: log
multiline.pattern: '^<!--'
multiline.negate: true
multiline.match: after

below is the message I m trying stream into ECS. But in ECS all the below lines are formatted as a separate message. Is there a way file beat will read the below as one single message

<ExecuteMultipleOperations_Transaction>
ExecuteMultipleOperations
hostname
https://hostname.domain.local/svc
hostname$
87

00:00:00.0300000

</ExecuteMultipleOperations_Transaction>

kvch · June 1, 2018, 11:00am

You your log messages are always between XML tags you can use the following multiline options:

multiline.pattern: ^</
multiline.negate: true
multiline.match: before

system · June 29, 2018, 11:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not honoring multiline configuration Beats filebeat	3	655	May 25, 2017
Multiline message appearing as individual event Beats filebeat	4	382	September 10, 2020
Multiline is not fetching desired result from filebeat to ES Beats filebeat	4	355	March 17, 2020
Filebeat 6.0 Multiline issue Beats filebeat	17	1509	December 27, 2017
Multiline Parsing Beats filebeat	2	599	October 24, 2017

Filebeat prospector_format

Related Topics