Hello,
I am using filebeat multiline with java logs
config:
- type: container
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
fields:
type: kube-logs
fields_under_root: true
multiline:
pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^java|^Caused by:'
negate: false
match: after
but when I check in kibana I find that I retrieve the logs correctly compile but also all the lines separated
Hi @Panplumousse welcome!
Are you running Filebeat standalone or under Elastic-Agent? It seems you're using autodiscover with kubernetes provider, is that correct?
Are those duplicated entries from the same log file? Could you check the log.file.path on Kibana?
Could you share your whole input configuration?
Hello, @TiagoQueiroz
I use filebeat > logstash > elk < kibana in kubernetes cluster.
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
labels.dedot: true
annotations.dedot: true
hints.default_config:
type: container
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
fields:
type: kube-logs
fields_under_root: true
multiline:
pattern: '^.{0,10}[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1]).*'
negate: true
match: after
templates:
- condition.or:
- contains.kubernetes.container.name: "container-test"
- contains.kubernetes.container.name: "container-test2"
config:
- type: container
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
fields:
type: kube-logs
fields_under_root: true
multiline:
pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^java|^Caused by:'
negate: false
match: after
filebeat.config.modules:
reload.enabled: true
output.logstash:
hosts: logstash
timeout: 15
system
March 25, 2022, 11:29am
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
