I am attempting to use a filebeats 5.1. One of the multi line patterns i am using is causing me alot of trouble and I am not seeing why, I was hoping yall could point me in the right direction.
What I am trying to use, seems pretty simple:
- input_type: log
paths:
- C:\ProgramData\logs\Error.log
multiline.pattern: '^TIME:'
multiline.negate: true
multiline.match: after
The events look like:
TIME: [02/19/2019 15:09:30]
SEVERITY: Error
ERROR CODE: 0x20010001
DETAILS: Internal logic error.: Unable to determine OEM code from license.
TIME: [02/19/2019 15:09:30]
SEVERITY: Error
ERROR CODE: 0x20010001
DETAILS: Internal logic error.: TerminateThread -> Service Thread
I made sure there is no characters before the Time value.
When I run this pattern all events get stuffed in 1 message. It is not broken into 2 separate messages. If I create 3 log events, copy paste, it will stuff all 3 events into the same message. I am very puzzled as this same pattern is working on a different log file with the only difference is that the word Time is "Time" in the log file that is working but in the events that are not working the word time is "TIME". Any idea why such a simple pattern would work in one log but not in another?
Thank you for taking a look