Hi Guys,
I am facing problem with multiline pattern in filebeat. My usecase for multiline for log data is very simple if log is not starting with date format(yyyy-mm-dd) then it should be considered as single event else if it is then new event, But it is indexing whole file as single doc in ES.
Sample log data-
2019-01-27 00:00:02,293 INFO Controller:718 - Received query for API: {"id":"1"}
2019-01-27 00:00:02,447 INFO Controller:154 - Received query for event: {"id":"1"}
2019-01-27 00:00:02,447 WARN Controller:160 - Error occurred in event:
common.WarningException: API not supported
at com.services.Service.event(Service.java:128) ~[Service.class:?]
at com.controller.Controller.event(Controller.java:157) [Controller.class:?]
at sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2019-01-27 00:00:02,447 INFO Controller:154 - Received query for event: {"id":"1"}
2019-01-27 00:00:02,447 INFO Controller:154 - Received query for event: {"id":"1"}
Multiline config-
## Multiline options
multiline.pattern: '^\[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
From the above sample, I am expecting 5 different docs for logs in ES index. But whole file is indexing as a single doc in ES. Please help me out on this.