Yup, you have your tabs messed up.
Delete exactly one space in front of the three multiline. lines.
Then try again.
Your current filebeat.yml is adding your multiline.* as fields because you have one extra space in front of each of those lines.
removed one space but still the same issue.
Can you please paste your corrected filebeat.yaml file?
may be something is missing from my end.
after this change I am getting only last line in the message field.
Thanks a lot Ken.
Now I am getting the whole message in one single message field.
Now you should be able to start to grok that one line to break it out how you want to see it in Elastic Search.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.