Multiple 'Multiline' blocks in same filebeat.yml - Filebeats

I'm looking to understand if I may have more than 1 multiline.pattern defined in a filebeat configuration of which these multiline configurations would be against the same log file. When I run something similar to the below, none of the patterns work but if comment out all but one of them, the single multiline.pattern works.

 type: log
  tags: ["someAppTag"]
  paths:
    - /var/log/someapp/app.log

  # Merge multiple authentication lines into their own doc
  multiline:
    pattern: '^\*\*\* Received from '
    negate: true
    match: after

  # Merge App restart lines into their own doc
  multiline:
    pattern: 'app received sigterm'
    negate: true
    match: after
    flush_pattern: 'app is now running!'

The application log file I'm trying to document has several different unique messages to merge but I may only get one multiline.pattern working at a time. All of these entries are generic $timestamp.message lines spread across numerous lines and unreadable in Kibana without merging their multiline content into a single document. Any thoughts?

Hi @klang and welcome to discuss :slight_smile:

Defining multiple multiline blocks is not supported, and may lead to unexpected behaviours.

Something you can try is to merge both configurations into one, something like this:

  multiline:
    pattern: '(^\*\*\* Received from |app received sigterm)'
    negate: true
    match: after
    flush_pattern: 'app is now running!'
1 Like

Dang, I was hoping this was a thing. Thank you for the advice, what you shared would actually work for me. I will re-think my strategy and do some testing.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.