Hello,
From reading the docs, I realized that whenever multiline and include_lines (or exclude) are both set, filebeat processes the multiline part before including/excluding any lines. That seems a bit counterintuitive, but is there any way to reverse the order? I'm trying to exclude useless lines before bundling them with the multiline option but I can't seem to find a way around this besides editing the source code. Any help is much appreciated.
This question is nearly pointless, as there's a way to obtain the same results with the current order (multiline then include_lines) in all cases except for one. Basically, if you set your multiline options to [negate: false] and [match: before], all of the unwanted lines will be separated from the lines you actually meant to bundle. You can then use a regex in [include_lines] to include only the bundled lines.
The only case in which this wouldn't work would be the scenario in which sending an entire file using the multiline option (with the patter '.' or '^.*') as a single line would be necessary, but since the entire file is too large the user wants to exclude a couple of lines before hand.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.