Ingest pipe line csv parser with multiline message failing

Bo_Koralage · January 11, 2021, 4:18am

I am using a csv processor and \t as the separator ingest pipeline to push logs from filebeat. This works great but fails when the message (logmessage) portion has a new line character. I added the following to the filebeat.yml to deal with multiline but hasn't helped. Loglines start with a TS like 2020-12-29T08:25:01.971....

Any help would be great?

filebeat.yml
multiline.type: pattern
multiline.pattern: '^20'
multiline.match: after
multiline.negate: true

pipeline def

Copy to clipboard

  "pipeline_tab" : {
    "description" : "tab pattern",
    "processors" : [
      {
        "csv" : {
          "field" : "message",
          "target_fields" : [
            "timestamp",
            "relativeTime",
            "thread",
            "processName",
            "sourceName",
            "logType",
            "logMessage"
          ],
          "separator" : "\t"
        }
      }
    ]
  }

system · February 8, 2021, 6:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline txt log files not parsing correctly in ingest pipeline Beats filebeat	1	301	May 21, 2020
Filebeat filestream with pipeline and multiline Beats filebeat	4	588	June 30, 2023
Filebeat fails when I configure an ingest-pipeline on filebeat.yml Beats filebeat , ingest-pipeline	16	1689	December 25, 2021
Ingest not reading csv input as a single line Beats filebeat	14	1593	September 7, 2017
Help on multiline Beats filebeat	12	2710	November 15, 2017

Ingest pipe line csv parser with multiline message failing

Related topics