I'm looking to understand if I may have more than 1 multiline.pattern defined in a filebeat configuration of which these multiline configurations would be against the same log file. When I run something similar to the below, none of the patterns work but if comment out all but one of them, the single multiline.pattern works.
type: log tags: ["someAppTag"] paths: - /var/log/someapp/app.log # Merge multiple authentication lines into their own doc multiline: pattern: '^\*\*\* Received from ' negate: true match: after # Merge App restart lines into their own doc multiline: pattern: 'app received sigterm' negate: true match: after flush_pattern: 'app is now running!'
The application log file I'm trying to document has several different unique messages to merge but I may only get one multiline.pattern working at a time. All of these entries are generic $timestamp.message lines spread across numerous lines and unreadable in Kibana without merging their multiline content into a single document. Any thoughts?