Logstash config to get multiline messages

dr01 · June 8, 2018, 2:41pm

I need to parse a multiline event and, as suggested in the docs, I'm leaving to Filebeat the handling of the multiline:

filebeat.prospectors:
- type: log
  paths:
    - /path/to/logfiletoparse.log
  multiline:
    pattern: '^Multiline event header$'
    negate: 'false'
    match: 'after'

Now, according to this config, I'd expect to see a multiline message in Kibana. Instead, the parsed logfile is still split in multiple single-line messages. Which input/filter/output config do I need to set in Logstash to get a multiline message?

Badger · June 8, 2018, 2:51pm

This is not a logstash question. If filebeat is merging mulitple lines then logstash will pass them onto elasticsearch and thence Kibana.

That pattern says that if the line matches the pattern (anchored at both ends), then it should be merged with the preceding line. Otherwise lines are fed as is.

Note the documentation for false+after: Consecutive lines that match the pattern are appended to the previous line that doesn’t match.

dr01 · June 8, 2018, 2:57pm

You're right. I have corrected it in

negate: 'true'

Now it works. Thank you.

To the mods: please feel free to move this question to the Filebeat category.

system · July 6, 2018, 2:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.