Multi-line Filebeat templates don't work with filebeat.inputs - type: filestream

cva · May 31, 2021, 1:19pm

I ran into a multiline processing problem in Filebeat when the filebeat.inputs: parameters specify type: filestream - the logs of the file stream are not analyzed according to the requirements of multiline. pattern: '^[[0-9]{4}-[0-9]{2}-[0-9]{2}', in the output, I see that the lines are not added to the lines, are created new single-line messages with individual lines from the log file.

If you specify type: log in the file bat.inputs: parameters, then everything works correctly, in accordance with the requirements of multiline. pattern: '^[[0-9]{4}-[0-9]{2}-[0-9]{2}' - a multiline message is created.

What is not correctly specified in my config?

       filebeat.inputs:
 
     - type: filestream
 
       enabled: true
 
       paths:
         - C:\logs\GT\TTL\*\*.log
       fields_under_root: true
       fields:
         instance: xml
         system: ttl
         subsystem: GT
         account: abc
       multiline.type: pattern
       multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
       multiline.negate: true
       multiline.match: after

system · June 28, 2021, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

jsoriano · December 9, 2021, 6:06pm

Hey @cva,

Sorry for not replying before.

As commented in Multiline does not work in Filebeat 7.16 filestream inputs · Issue #29361 · elastic/beats · GitHub, the solution for this would be to use parsers, as described here: filestream input | Filebeat Reference [7.16] | Elastic