Hello,
I managed to merge my stacktrace in a mulitline. Unfortunately my kibana still shows me the logs for single error threads. How do I avoid these single logs and get solely multilines?
Multiline settings:
multiline:
pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}(T|\s)[0-9]{2}:[0-9]{2}:[0-9]{2}(.[0-9]{3})?Z?'
negate: true
match: after
Stacktrace:
2019-07-16 09:41:30.915 WARN 1 --- [nfoReplicator-0] c.n.discovery.InstanceInfoReplicator : There was a problem with the instance info replicator
` com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server`
` at com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:112) ~[eureka-client-1.9.8.jar!/:1.9.8]`
at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.register(EurekaHttpClientDecorator.java:56) ~[eureka-client-1.9.8.jar!/:1.9.8]
at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$1.execute(EurekaHttpClientDecorator.java:59) ~[eureka-client-1.9.8.jar!/:1.9.8]
at com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77) ~[eureka-client-1.9.8.jar!/:1.9.8]
hey @elk51211 you said that you managed to merge. configuration looks good but have you verified filebeat picked it up correctly?
also is it possible that Kibana shows logs before this change was made?
is the configuration snippet part of the specific input?
I'm not quite sure what you mean. This is how my filebeat.yml looks like.
filebeat.inputs:
- type: container
multiline:
pattern: '^([0-9]{4}-[0-9]{2}-[0-9]{2}(T|\s)[0-9]{2}:[0-9]{2}:[0-9]{2}(\.[0-9]{3})?Z?)'
negate: true
match: after
paths:
- '/var/lib/docker/containers/*/*.log'
processors:
- add_docker_metadata: ~
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
containers.ids:
- "${data.docker.container.id}"
setup.kibana:
host: "kibana:5601"
output.logstash:
hosts: logstash:5044
And it seems to work because in Kibana I got the stack trace shown as 1 log. Unfortunately the single error logs of the stack trace are shown aswell.
I got the merged stack trace on top and underneath the single ones.
Nah Kibana shouldnt show older logs, I delete thelogs for every attempt
Hey Michal do you have an idea how to make that work?
Hey @elk51211
try running filebeat test config -c filebeat.yml to see if your config is valid. indentations seems off.
also having combined output seems like something which should not happen. can you check debug logs?
you can do that either by running filebeat with -d or by setting logging.level to debug
