Multiline and '\n' extra character

Elastic Stack Beats
1

Hi,

I successfully turned my multiline log into single line, but now this log has '\n' character and double quotes are also escaped - ".
Any solution how to stop this behavior and configure filebeat to join lines "as is"?
I want filebeat only join lines and send logs to logstash(ELK) where they will be split by grok filter.

*English is not my first language, sorry.

result:

{"@timestamp":"2018-12-05T08:17:31.572Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.4.3"},"source":"/tmp/testdata","prospector":{"type":"log"},"input":{"type":"log"},"host":{"name":"srv-hv2"},"beat":{"version":"6.4.3","name":"srv-hv2","hostname":"srv-hv2"},"offset":0,"message":"{20181004025706,N,\n{0,0},18,0,4,28331,2,I,\"\",0,\n{\"D\",\n{2,\n{\"C\",\"ax\"}\n}\n},\"\",1,41,41,353557112,0,\n{0}\n}}

filebeat.yml:

--- 
filebeat.inputs: 
  - 
    enabled: true
    multiline.match: after
    multiline.pattern: "^{%{DATESTAMP_EVENTLOG}"
    multiline.negate: true
#    multiline.flush_pattern: "^},"
    paths: 
      - /tmp/testdata
    type: log

output.console: 
  pretty: false
2 
{"@timestamp":"2018-12-05T08:17:31.572Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.4.3"},"source":"/tmp/testdata","prospector":{"type":"log"},"input":{"type":"log"},"host":{"name":"srv-hv2"},"beat":{"version":"6.4.3","name":"srv-hv2","hostname":"srv-hv2"},"offset":0,"message":"{20181004025706,N,\n{0,0},18,0,4,28331,2,I,\"\",0,\n{\"D\",\n{2,\n{\"C\",\"ax\"}\n}\n},\"\",1,41,41,353557112,0,\n{0}\n}}

This is the json representation of your event. When sending to Logstash, it will be parsed by logstash. The \n is a placeholder of a line break and the \" will be parsed into an " character.

Logstash will see/process the original multiline event has is. If the line break is a problem: One can use the translate or other filters in LS to remove the line breaks. Plus, grok is based on regular expressions. One can use \n or \R to match newlines in grok patterns.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.