Filebeat sets the multi-line mode, the unmatched rows are also multi-line, the match result is abnormal

Elastic Stack Beats
1

set multiline filebeat config:
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}|^[0-9]{4}/[0-9]{2}/[0-9]{2}'
multiline.negate: true
multiline.match: after

As a result, the following log was matched as multiple lines into one record:
127.0.0.1 - [127.0.0.1] - - [29/Jun/2020:09:33:15 +0000] "GET /follow/followmanager/list/1/10?planStatus=0 HTTP/1.1" 200 792 "http://localhost:8080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1107 0.133 [frontend-8112] 10.233.121.218:8112 4371 0.133 200 7519892edaadd50a0d0e0eeeb1bc4649
127.0.0.1 - [127.0.0.1] - - [29/Jun/2020:09:33:15 +0000] "GET /follow/followmanager/group/count HTTP/1.1" 200 156 "http://localhost:8080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1071 0.025 [frontend-8112] 10.233.121.218:8112 218 0.025 200 604d073cfb6ed27dd193d0729c245978

2

Looking forward to reply

3

How do the original logs look you want to concatenate?

4

@kvch this kibana log show log was mark multiline tag:

1595326102590
15953261025902048×558 158 KB

The original log is all single line :
1595409259010
15954092590101755×329 254 KB

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.