Hello!
I tested a regexp similar to yours with no major problems. Since you did not post your full configuration I am going to guess that maybe you are using the filestream input and the multiline parser is not properly configured. If using the log input the config should look like:
- type: log
enabled: true
paths:
- 'sample.log'
multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(,[0-9]{3})?'
multiline.negate: true
multiline.match: after
fields_under_root: true
While if using the filestream input:
- type: filestream
enabled: true
paths:
- 'sample.log'
parsers:
- multiline:
pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(,[0-9]{3})?'
negate: true
match: after
fields_under_root: true
Hope that helps!