I want to use multiline feature for messages in error.log.
The error lines to match are mixed with empty lines
Error cccccc
continuation error line
The default multiline pattern ( ^[[:space:]] ) for this type of continuation does not work for these empty lines (not even a white space in this line).
The concatenation stops with the empty line.
Could you please share your Filebeat configuration formatted using </>? Also, please share example input logs and the desired output.
multiline def in filebeat/modules.d/apache.yml
multiline.type: pattern
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
example log:
ERROR: KIX-CGI-10 Perl: 5.22.1 OS: linux Time: Mon Sep 21 11:15:06 2020
Message: Got no SessionID!!
RemoteAddress: 1.2.3.4
RequestURI: /kix/index.pl?Action=Logout;ChallengeToken=4OLqfsBqx31B6UEnPpHPkdOq2eFgsNVT;
Traceback (2182):
Module: Kernel::System::AuthSession::DB::CheckSessionID Line: 59
Module: Kernel::System::AuthSession::CheckSessionID Line: 89
Module: Kernel::System::Web::InterfaceAgent::Run Line: 482
Module: ModPerl::ROOT::ModPerl::Registry::opt_kix_bin_cgi_2dbin_index_2epl::handler Line: 39
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32
[Mon Sep 21 11:28:30 2020] -e: Use of uninitialized value $CallingAction in concatenation (.) or string at /opt/kix//Kernel/Modules/SaveAsDraftAJAXHandler.pm line 51.
expected result: (multiple lines in one message)
`ERROR: KIX-CGI-10 Perl: 5.22.1 OS: linux Time: Mon Sep 21 11:15:06 2020 Message: Got no SessionID!! RemoteAddress: 1.2.3.4 RequestURI: /kix/index.pl?Action=Logout;ChallengeToken=4OLqfsBqx31B6UEnPpHPkdOq2eFgsNVT;`
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.