Hello,
I see type:log is going to be deprecated (Log input | Filebeat Reference [8.2] | Elastic) and we should use filestream instead of this one.
I'm trying to parse some output from ansible. A very simple basic example:
TASK [example task] ********************************************
this is the first line of multilinetask that should bet added to the TASK message too
META: example meta
I have tried different configurations, but I see this one should work (read the following link) but it doesn't seem to work for me:
Example of filebeat.yml conf:
filebeat.inputs:
- type: filestream
paths:
- /home/afuscoar/task.log
parsers:
- multiline:
type: pattern
pattern: '(PLAY|META)'
negate: true
match: after
fields_under_root: true
"message" => "TASK [example task] ********************************************",
...
"message" => "this is the first line of multilinetask that should bet added to the TASK message too",
...
"message" => "META: example meta",
Instead of something like this:
"message" => "TASK [example task] ********************************************\nthis is the first line of multilinetask that should bet added to the TASK message too",
...
"message" => "META: example meta",
Does anyone know what could be the problem? It was working perfectly using type: log and multiline.*.
I tried different indentations in the multiline section.
Thanks.