Is "include_lines" case sensitive?

msr · November 10, 2016, 9:47am

I have just installed ElasticStack 5.0 as a proof of concept and I am playing with the Filebeat config to only output the data I'm interested in.

Are the "include_lines" search strings case sensitive?

I initially configured it as:
include_lines: ["fatal", "error", "warning"]

but I noticed I was not getting log entries pushed to ElasticSearch. I changed my config to:
include_lines: ["FATAL", "ERROR", "WARNING"]
and started getting the log entries after restarting the filebeats service (running on Windows 2012 R2 server).

I'm not sure if it's case sensitive or whether there was some other reason it wasn't originally publishing the expected lines. If it is case sensitive, I assume there is nothing wrong with specifying upper and lower case?!
include_lines: ["fatal", "FATAL", "ERROR", "error", "WARNING", "warning"]

Thanks,

ruflin · November 10, 2016, 12:25pm

It is case sensitive as these are regular expressions. See https://www.elastic.co/guide/en/beats/filebeat/5.0/configuration-filebeat-options.html#include-lines

Nothing wrong with specifying multiple options.

steffens · November 10, 2016, 1:13pm

regular expressions can be made case-insensitive via using the i option: (?i)warning

system · December 8, 2016, 1:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Include_lines problem Beats filebeat	8	3055	July 5, 2016
Why include_lines is not working? Beats filebeat	1	329	October 29, 2020
Filebeat include_lines issue Beats filebeat	4	1005	January 27, 2020
Include_lines doesn't seem to work Beats filebeat	3	1465	August 2, 2016
Include lines in filebeat Beats filebeat	1	300	March 3, 2020

Is "include_lines" case sensitive?

Related topics