Filebeat Regex problem - Escape pipe and colon

neuronring · October 5, 2016, 3:34pm

I have configured filebeat on my windows server where i need to look for the lines matching the below pattern. Since the line itself has a pipe symbol "|" and a colon ":" the filebeat is considering it as OR condition and multi-line pattern for ":". But my regex has to match the whole string as it is..

modtransfer_2_1:reportResultCode | Result Description | strResultDescription : MOD TRANSFER FAILURE

This the text i need to look for in my log file. Please note the | (pipe) is not an OR condition and : (colon) does not mean anything. It is the actual text itself. I have my filebeat.yml configured like this.

  include_lines: ["('modtransfer_2_1\reportResultCode | Result Description | strResultDescription : MOD TRANSFER FAILURE')"]

But the filebeat treats each | separator as OR condition. How do i escape the pipe and colon ? Please assist.

steffens · October 6, 2016, 1:21am

if possible do not use double quotes in yaml files when defining regular expressions (see filebeat FAQ section). yaml will treat the \ character as escape character, which itself is the escape character for |. When using single quotes no escape character is required. Nevertheless use \ to escape the pipe symbol.

system · October 26, 2016, 3:34pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
[Solved] Possible bug? filebeat multiline regexp Beats filebeat	8	2713	July 5, 2017
Filebeat exclude lines that start with '+' Beats	3	2180	July 21, 2016
Unable to start Filebeat due to YAML config issue Beats filebeat	3	4372	March 21, 2017
Filebeat multiline filter and unknown escape character Beats filebeat	11	11161	July 5, 2017
Beginner question - searching for string containing [] chars Beats filebeat	5	1003	April 20, 2017

Filebeat Regex problem - Escape pipe and colon

Related topics