Logstash config to get multiline messages

dr01 · June 8, 2018, 2:41pm

I need to parse a multiline event and, as suggested in the docs, I'm leaving to Filebeat the handling of the multiline:

filebeat.prospectors:
- type: log
  paths:
    - /path/to/logfiletoparse.log
  multiline:
    pattern: '^Multiline event header$'
    negate: 'false'
    match: 'after'

Now, according to this config, I'd expect to see a multiline message in Kibana. Instead, the parsed logfile is still split in multiple single-line messages. Which input/filter/output config do I need to set in Logstash to get a multiline message?

Badger · June 8, 2018, 2:51pm

This is not a logstash question. If filebeat is merging mulitple lines then logstash will pass them onto elasticsearch and thence Kibana.

That pattern says that if the line matches the pattern (anchored at both ends), then it should be merged with the preceding line. Otherwise lines are fed as is.

Note the documentation for false+after: Consecutive lines that match the pattern are appended to the previous line that doesn’t match.

dr01 · June 8, 2018, 2:57pm

You're right. I have corrected it in

negate: 'true'

Now it works. Thank you.

To the mods: please feel free to move this question to the Filebeat category.

system · July 6, 2018, 2:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to push multiline events from Filebeat to Logstash Beats filebeat	1	365	September 15, 2020
Multiline configuration, several prospectors Beats filebeat	2	1073	June 9, 2017
Messages from different files are combined as one document Beats filebeat	3	938	July 5, 2017
Filebeat is sending multiple messages to elasticsearch Beats	1	432	December 3, 2019
Filebeat subdirectories and logstash multiline problems Logstash	3	933	July 6, 2017

Logstash config to get multiline messages

Related topics