I'm curious on how would you attempt to create a multiline match on just the PID to put it on a single event?
I'm currently using this:
prospectors:
-
paths:
- /usr/local/log/opensips.log
encoding: plain
input_type: log
exclude_lines: ["ACD DEBUG1 ", "isflagset is not set to"]
multiline:
pattern: '----- Received +|----- out$'
negate: true
match: after
max_lines: 500
timeout: 5s
tail_files: true
But there are times we have log lines that don't always follow sequentially so the logs don't group together like the following example:
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:111@511132.retracted.com:5060 373daac320b557f@192.168.1.113, <179c730894a14c8> sip:111@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:115@511132.retracted.com:5060 e07c9141e7deba4@192.168.1.113, sip:115@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: ----- out to sip:111@511132.retracted.com:5060 / sip:10.15.7.23:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: ----- out to sip:115@511132.retracted.com:5060 / sip:10.15.7.35:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:118@511132.retracted.com:5060 306cc35b3d3940d@192.168.1.113, sip:118@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: ----- out to sip:118@511132.retracted.com:5060 / sip:10.15.7.34:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25419]: ----- Received NOTIFY from 10.15.7.58 to sip:61e05271773d14178601496e61cb7db0@10.15.7.30 <926cfb17-95b2-1234-699b-00219bfc76bb>, sip:113@10.15.7.58
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25419]: ---call to sip:61e05271773d14178601496e61cb7db0@10.15.7.30, from 10.15.7.58/5090
So I was thinking it may be best to group based on the PID, but I tried:
filebeat:
prospectors:
-
paths:
- /usr/local/log/opensips.log
encoding: plain
input_type: log
exclude_lines: ["ACD DEBUG1 ", "isflagset is not set to"]
multiline:
pattern: '[[[:digit:]]{5}]: +|[[[:digit:]]{5}]: ----- out$'
negate: true
match: after
max_lines: 500
timeout: 10s
tail_files: true
But I couldn't figure out how to make it matching based on the the PID, I am not too sure how to use (re) within the above, as I believe the other type of grouping (?s) or (?m) is unsupported according to http://elasticsearch.qiniudn.com/guide/en/beats/filebeat/current/regexp-support.html