[SOLVED] - multiline.* settings were not indented correctly.
Filebeats configtest did not pick this up.
Hi,
I'm ingesting SOLR logs. The logs have a datetime stamp on the first line and the information on the second.
Date lines start with
"Oct 17, 2017 1:09:46 PM org.apache.solr.request.UnInvertedField uninvert" etc.
My match pattern is
"^(Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?)"
The GO Play test is here:
https://play.golang.org/p/UbIZLhgrKb
Line 1 true
Line 2 false
Line 3 true.......
In filebeats.yml has negate: true, match: after
Any idea why Filebeats is not combining lines?