Multiline config for continuation with empty lines interspersed

kornexl · September 21, 2020, 1:13pm

I want to use multiline feature for messages in error.log.
The error lines to match are mixed with empty lines
Error cccccc

continuation error line

The default multiline pattern ( ^[[:space:]] ) for this type of continuation does not work for these empty lines (not even a white space in this line).
The concatenation stops with the empty line.

kvch · September 21, 2020, 1:33pm

Could you please share your Filebeat configuration formatted using </>? Also, please share example input logs and the desired output.

kornexl · September 21, 2020, 2:03pm

multiline def in filebeat/modules.d/apache.yml

multiline.type: pattern
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after

example log:

    ERROR: KIX-CGI-10 Perl: 5.22.1 OS: linux Time: Mon Sep 21 11:15:06 2020

     Message: Got no SessionID!!

     RemoteAddress: 1.2.3.4
     RequestURI: /kix/index.pl?Action=Logout;ChallengeToken=4OLqfsBqx31B6UEnPpHPkdOq2eFgsNVT;

     Traceback (2182):
       Module: Kernel::System::AuthSession::DB::CheckSessionID Line: 59
       Module: Kernel::System::AuthSession::CheckSessionID Line: 89
       Module: Kernel::System::Web::InterfaceAgent::Run Line: 482
       Module: ModPerl::ROOT::ModPerl::Registry::opt_kix_bin_cgi_2dbin_index_2epl::handler Line: 39
       Module: (eval) (v1.99) Line: 207
       Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
       Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
       Module: ModPerl::Registry::handler (v1.99) Line: 32

    [Mon Sep 21 11:28:30 2020] -e: Use of uninitialized value $CallingAction in concatenation (.) or string at /opt/kix//Kernel/Modules/SaveAsDraftAJAXHandler.pm line 51.

expected result: (multiple lines in one message)

`ERROR: KIX-CGI-10 Perl: 5.22.1 OS: linux Time: Mon Sep 21 11:15:06 2020      Message: Got no SessionID!!       RemoteAddress: 1.2.3.4      RequestURI: /kix/index.pl?Action=Logout;ChallengeToken=4OLqfsBqx31B6UEnPpHPkdOq2eFgsNVT;`

system · October 19, 2020, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline and blank lines Beats filebeat	3	1580	August 14, 2018
Multiline troubleshooting Beats filebeat	3	781	November 25, 2016
Multiline breaks on empty line \n\n restarts new line Beats filebeat	4	2196	September 23, 2016
Filebeat sets the multi-line mode, the unmatched rows are also multi-line, the match result is abnormal Beats	4	324	August 18, 2020
Multiline breaking in blank line Beats filebeat	2	913	January 8, 2021

Multiline config for continuation with empty lines interspersed

Related topics