Multiline is not getting added to the "tag" field

This post says that multiline got added to the tags field. Sadly, it doesn't work for me. When I view the processed multiline message in kibana, the tags field says "beats_input_codec_plain_applied".
I need to do some special filtering when a multiline message is processed. I technically have a workaround by adding a new field that triggers with the same condition as the multiline event. (as it is explained here)

I also found someone else having troubles with this ( here ).
Does anyone know if we are just missing out on a parameter to add the multiline to tags, or is there something else wrong?

My filebeatconf:

filebeat:
  prospectors:
    -
      input_type: log
      paths:
        - "/tmp/logfiles/mylogfile.log"
      document_type: mylog
      multiline:
        pattern: ": {3}"
        match: after

Looking at the relevant PR, it doesn't look like a tag is supposed to be set, but rather the field multiline.lines. Have you checked to see if that was set?

I checked that now, but when I view the message in kibana, it doesn't show the field multiline.lines. In addition, I checked the fields in the index pattern, and the mentioned field isn't listed there either.

I have now tried my above-mentioned workaround by using processors but that doesn't work sadly.

filebeat:
  prospectors:
    -
      input_type: log
      paths:
        - "/tmp/logfiles/mylogfile.log"
      document_type: mylog
      #close_older: 36h
      multiline:
        pattern: ": {3}"
        match: after
      processors:
        - include_fields:
            when.regexp.message: ": {3}"
            fields: ["multilineevent", "@version", "@timestamp", "message", "tags" ]
      fields_under_root: true

The multiline part works, but it basically ignores the whole processors part. Am I doing something wrong? Is there any other way to to tell my filter that there is a multiline event happening?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.