How to use "DAY" Grok Pattern on Filebeat Multiline

mvasqueznr · March 29, 2022, 4:39am

Hi.

I'm use the next configuration to read a multiline file on logstash. For identify the begin of the message I use a grok pattern

 file {
        path => "Sample_Type1/*"
        start_position => "beginning"
        type => "alertlog_type1"
        codec => multiline {
            **pattern => "^%{DAY}"**
            negate => "true"
            what => "previous"
            max_lines => 100000
        }
    }

But, when I'm try to use the same configuration on Filebeat this not work.

Any idea for this?

Thanks.

legoguy1000 · March 29, 2022, 12:31pm

I don't think u can use a grok pattern for multiline in filebeat. You'll need to just copy the regex that it uses directly.

system · April 26, 2022, 2:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.