I'm looking to understand if I may have more than 1 multiline.pattern defined in a filebeat configuration of which these multiline configurations would be against the same log file. When I run something similar to the below, none of the patterns work but if comment out all but one of them, the single multiline.pattern works.
type: log
tags: ["someAppTag"]
paths:
- /var/log/someapp/app.log
# Merge multiple authentication lines into their own doc
multiline:
pattern: '^\*\*\* Received from '
negate: true
match: after
# Merge App restart lines into their own doc
multiline:
pattern: 'app received sigterm'
negate: true
match: after
flush_pattern: 'app is now running!'
The application log file I'm trying to document has several different unique messages to merge but I may only get one multiline.pattern working at a time. All of these entries are generic $timestamp.message lines spread across numerous lines and unreadable in Kibana without merging their multiline content into a single document. Any thoughts?