Issue with filebeat multiline patterns

sfenman · May 26, 2020, 11:56am

Hello, I am trying to setup filebeat for some multiline application logs directly to ES. So a log entry is always starting with the word "Started" or with the word "Queued" and has different number of lines each time. My filebeat.yml configuration looks like this :

  multiline.pattern: '(Started) | (Queued)'
  multiline.negate: true
  multiline.match: after

But the result is that it takes almost all lines as a log entry. Is it something that I am doing wrong?

Thank you.

David_Oceans · May 26, 2020, 1:47pm

Should be great have a tool of elastic to paste your piece of log and try this multiline or even the regex like exclude lines o include lines.

system · June 23, 2020, 1:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.