Is "include_lines" case sensitive?

msr · November 10, 2016, 9:47am

I have just installed ElasticStack 5.0 as a proof of concept and I am playing with the Filebeat config to only output the data I'm interested in.

Are the "include_lines" search strings case sensitive?

I initially configured it as:
include_lines: ["fatal", "error", "warning"]

but I noticed I was not getting log entries pushed to ElasticSearch. I changed my config to:
include_lines: ["FATAL", "ERROR", "WARNING"]
and started getting the log entries after restarting the filebeats service (running on Windows 2012 R2 server).

I'm not sure if it's case sensitive or whether there was some other reason it wasn't originally publishing the expected lines. If it is case sensitive, I assume there is nothing wrong with specifying upper and lower case?!
include_lines: ["fatal", "FATAL", "ERROR", "error", "WARNING", "warning"]

Thanks,

ruflin · November 10, 2016, 12:25pm

It is case sensitive as these are regular expressions. See https://www.elastic.co/guide/en/beats/filebeat/5.0/configuration-filebeat-options.html#include-lines

Nothing wrong with specifying multiple options.

steffens · November 10, 2016, 1:13pm

regular expressions can be made case-insensitive via using the i option: (?i)warning

system · December 8, 2016, 1:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.