How to use "DAY" Grok Pattern on Filebeat Multiline

mvasqueznr · March 29, 2022, 4:39am

Hi.

I'm use the next configuration to read a multiline file on logstash. For identify the begin of the message I use a grok pattern

 file {
        path => "Sample_Type1/*"
        start_position => "beginning"
        type => "alertlog_type1"
        codec => multiline {
            **pattern => "^%{DAY}"**
            negate => "true"
            what => "previous"
            max_lines => 100000
        }
    }

But, when I'm try to use the same configuration on Filebeat this not work.

Any idea for this?

Thanks.

legoguy1000 · March 29, 2022, 12:31pm

I don't think u can use a grok pattern for multiline in filebeat. You'll need to just copy the regex that it uses directly.

system · April 26, 2022, 2:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 1.1.0: Multiline Patterns Beats filebeat	12	1681	July 5, 2017
Filebeat Multiline Config Help Beats filebeat	2	259	September 26, 2020
Filebeat 1.2.0. multiline Beats filebeat	12	2173	July 5, 2017
Multi line pattern in filebeat Beats	3	450	November 4, 2020
Filebeat is sending multiple messages to elasticsearch Beats	1	432	December 3, 2019

How to use "DAY" Grok Pattern on Filebeat Multiline

Related Topics