How to use "DAY" Grok Pattern on Filebeat Multiline

mvasqueznr · March 29, 2022, 4:39am

Hi.

I'm use the next configuration to read a multiline file on logstash. For identify the begin of the message I use a grok pattern

 file {
        path => "Sample_Type1/*"
        start_position => "beginning"
        type => "alertlog_type1"
        codec => multiline {
            **pattern => "^%{DAY}"**
            negate => "true"
            what => "previous"
            max_lines => 100000
        }
    }

But, when I'm try to use the same configuration on Filebeat this not work.

Any idea for this?

Thanks.

legoguy1000 · March 29, 2022, 12:31pm

I don't think u can use a grok pattern for multiline in filebeat. You'll need to just copy the regex that it uses directly.

Topic		Replies	Views
Grok pattern with multiline management in filebeat Beats filebeat	6	3481	February 17, 2016
Filebeat 1.2.0. multiline Beats filebeat	11	2262	April 5, 2016
Filebeat 1.1.0: Multiline Patterns Beats filebeat	11	1759	April 15, 2016
Filebeat Multiline Patterns not working for us Beats	10	5996	October 31, 2018
Beats with multiline Beats filebeat	14	11283	February 9, 2017

How to use "DAY" Grok Pattern on Filebeat Multiline

Related topics