Filebeate multiline pattern for multiple expression

Suresh_Pal · July 13, 2018, 1:40pm

Hi Everyone,

Hope you all are doing great !!

I'm trying to parse mulitple expression in multiline in my filebeat configuartion but i'm not able to meet the expected result.

Type of logs i want to parse:

expr1: 2018-07-13 09:34:36,553 CustomLogWrapper.java

expr2: Jul 13, 2018 9:30:35 AM com.sun.jersey.spi.container.servlet.WebComponent filterFormParameters

expr3: 13-Jul-2018 09:35:09.286 FINE [http-nio-8080-exec-65] c

Multiline expression i'm using:

^(expr1|expr2 | expr3)

multiline.pattern: '^(([0-9]{4}-[0-9]{2}-[0-9]{2}) | ([a-zA-z]{3} [0-9]{2}, [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [AM|PM]) | ([0-9]{2}-[a-zA-z]{3}-[0-9]{4}))'

multiline.negate: true

multiline.match: after

Note: expression1 is getting parsed correctly while other two are not working. I have tried only two expression as well but i failed.

Please help !

jsoriano · July 13, 2018, 5:30pm

Hi @Suresh_Pal,

There are two things I see that I think can be corrected in your pattern:

There are some sequences of characters of fixed length (like in [0-9]{2}) that also need to match sequences with less characters, there you'd need to specify the range of number of repetitions, e.g. if you want to match numbers with one or two digits, you need to use the pattern [0-9]{1,2}.
When there are multiple expressions be careful with not leaving unneeded spaces after or before the | because they will add the requirement of these spaces after or before the string. In your case there seems to be some, try to remove them.

I hope it helps.

system · August 10, 2018, 5:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.