Multiple multiline filter in one yml file

i am trying to use multiple date filter format in one yml, but its showing error.

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    - /devspace/Sonu/data/input/*.log
    multiline.pattern: '^((\b(Jan?|Feb?|Mar?|Apr?|May?|Jun|Jul?|Aug?|Sep?|Oct?|Nov?|Dec?)\b\s((0[1-9])|([12][0-9])|(3[01])|[1-9]),\s(\d\d){1,2}\s(\d{1,2}):(\d{1,2}):(\d{1,2}):(\d{1,3})\s(AM|PM))|(\b(Jan?|Feb?|Mar?|Apr?|May?|Jun|Jul?|Aug?|Sep?|Oct?|Nov?|Dec?)\b\s(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])\s\d{1,2}:\d{1,2}:\d{1,2}\s(?>\d\d){1,2}))'
    multiline.negate: true
    multiline.match: after
    output.logstash:

    The Logstash hosts

    hosts: ["localhost:5044"]

it throwing error like that
2019-05-10T17:55:45.407+0530 ERROR instance/beat.go:906 Exiting: Error in initing input: error parsing regexp: invalid or unsupported Perl syntax: (?> accessing 'filebeat.inputs.0.multiline.pattern' (source:'filebeat.yml')
Exiting: Error in initing input: error parsing regexp: invalid or unsupported Perl syntax: (?> accessing 'filebeat.inputs.0.multiline.pattern' (source:'filebeat.yml')

i also tried with another way like

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    - /devspace/Sonu/data/input/*.log
    multiline.pattern: '^${timestamp}'

patterns:
times: '({timestamp1}|({timestamp2})'

capture dates of type 'Mar 28, 2019 4:37:27:655 PM'

timestamp1: '\b(Jan?|Feb?|Mar?|Apr?|May?|Jun|Jul?|Aug?|Sep?|Oct?|Nov?|Dec?)\b ((0[1-9])|([12][0-9])|(3[01])|[1-9]), (\d\d){1,2} (\d{1,2}):(\d{1,2}):(\d{1,2}):(\d{1,3}) (AM|PM)'

captures dates of type 'Fri May 10 01:35:52 2019'

timestamp2: '\b(Jan?|Feb?|Mar?|Apr?|May?|Jun|Jul?|Aug?|Sep?|Oct?|Nov?|Dec?)\b (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) \d{1,2}:\d{1,2}:\d{1,2} (?>\d\d){1,2}'
multiline.negate: true
multiline.match: after
output.logstash:

The Logstash hosts

hosts: ["localhost:5044"]

but it also not working, here i am getting error like that,

2019-05-10T18:17:16.252+0530 ERROR instance/beat.go:906 Exiting: Error in initing input: missing required field accessing 'filebeat.inputs.0.multiline.match' (source:'filebeat.yml')
Exiting: Error in initing input: missing required field accessing 'filebeat.inputs.0.multiline.match' (source:'filebeat.yml')

Can somebody tells me how to fix this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.