Filebeat shows merged single error lines despite Multiline

elk51211 · July 16, 2019, 9:51am

Hello,
I managed to merge my stacktrace in a mulitline. Unfortunately my kibana still shows me the logs for single error threads. How do I avoid these single logs and get solely multilines?

Multiline settings:
multiline:
pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}(T|\s)[0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]{3})?Z?'
negate: true
match: after

Stacktrace:
2019-07-16 09:41:30.915 WARN 1 --- [nfoReplicator-0] c.n.discovery.InstanceInfoReplicator : There was a problem with the instance info replicator

`     com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server`
`     at com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:112) ~[eureka-client-1.9.8.jar!/:1.9.8]`
    at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.register(EurekaHttpClientDecorator.java:56) ~[eureka-client-1.9.8.jar!/:1.9.8]
    at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$1.execute(EurekaHttpClientDecorator.java:59) ~[eureka-client-1.9.8.jar!/:1.9.8]
    at com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77) ~[eureka-client-1.9.8.jar!/:1.9.8]

Michal_Pristas · July 16, 2019, 1:55pm

hey @elk51211 you said that you managed to merge. configuration looks good but have you verified filebeat picked it up correctly?
also is it possible that Kibana shows logs before this change was made?
is the configuration snippet part of the specific input?

elk51211 · July 16, 2019, 2:29pm

I'm not quite sure what you mean. This is how my filebeat.yml looks like.

 filebeat.inputs:
      - type: container
        multiline:
          pattern: '^([0-9]{4}-[0-9]{2}-[0-9]{2}(T|\s)[0-9]{2}:[0-9]{2}:[0-9]{2}(\.[0-9]{3})?Z?)'
          negate: true
          match: after
        paths:
          - '/var/lib/docker/containers/*/*.log'
        processors:
          - add_docker_metadata: ~

    filebeat.config:
      modules:
        path: ${path.config}/modules.d/*.yml
        reload.enabled: false
    filebeat.autodiscover:
      providers:
        - type: docker
          hints.enabled: true
          containers.ids:
            - "${data.docker.container.id}"
    setup.kibana:
      host: "kibana:5601"
    output.logstash:
      hosts: logstash:5044

And it seems to work because in Kibana I got the stack trace shown as 1 log. Unfortunately the single error logs of the stack trace are shown aswell.

I got the merged stack trace on top and underneath the single ones.
Nah Kibana shouldnt show older logs, I delete thelogs for every attempt

elk51211 · July 29, 2019, 1:00pm

Hey Michal do you have an idea how to make that work?

Michal_Pristas · August 6, 2019, 12:00pm

Hey @elk51211
try running filebeat test config -c filebeat.yml to see if your config is valid. indentations seems off.

also having combined output seems like something which should not happen. can you check debug logs?
you can do that either by running filebeat with -d or by setting logging.level to debug

system · September 3, 2019, 12:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.