Multiline Pattern not Matching correctly


(Allen) #1

My current Filebeat configuration is:
image

But it keeps combining all of them together:

As you can see my pattern consists of one letter and numbers:
2017-07-28T03:33:19.676-0500

Does anyone know what multiline.pattern would work best in this case?


(Andrew Kroh) #2

Have you tested your pattern as described here?

Please do not post screenshots when it's possible to copy and paste the content. (It makes more work for anyone that wishes to help by testing your pattern against the logs.)


(Allen) #3

I have not thank you for that information, I will give that a try.

Sorry for the screen shot here is the text for my screen shots:

filebeat.prospectors:
- input_type: log
  paths:
    - c:\hoppr\Logs\hoppr.mongosa.27017\mongod.log
  multiline.pattern: '^\[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after  
  fields_under_root: true
  fields:
    type: mongodb
output.elasticsearch:
  hosts: ["http://172.19.90.87:9200"]
  index: hoppr-mongodb-%{+yyyy.MM.dd}
2017-06-19T02:58:46.558-0500 I NETWORK  [initandlisten] waiting for connections on port 27017
2017-06-19T02:59:03.243-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:49847 #1 (1 connection now open)
2017-06-19T02:59:03.980-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:49850 #2 (2 connections now open)
2017-06-19T02:59:09.023-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:49851 #3 (3 connections now open)

(Andrew Kroh) #4

Try modifying your pattern to ^[0-9]{4}-[0-9]{2}-[0-9]{2} (remove the escaping from the first bracket).


(Allen) #5

Andrew that worked, thank you, it is matching correctly now.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.