Multiple patterns in Multiline pattern not working

Adyantha_T_S · March 22, 2018, 5:55pm

I am trying to capture specific lines using filebeat, but I'm unable to apply multiple patterns and get those lines into a single message.
Data:
zzz Thu Mar 22 17:49:46 UTC 2018
MemTotal: 24688032 kB
MemFree: 2628752 kB
MemAvailable: 15808568 kB
Buffers: 834784 kB
Cached: 11914956 kB
SwapCached: 0 kB
Active: 10500300 kB
Inactive: 10574108 kB
Active(anon): 6794112 kB
Inactive(anon): 1530748 kB
Active(file): 3706188 kB
Inactive(file): 9043360 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 54521848 kB
SwapFree: 54521848 kB
Dirty: 372 kB
Writeback: 0 kB
AnonPages: 8324536 kB
Mapped: 178412 kB

I need to capture only lines containing 'MemTotal|MemFree|Buffers|Cached' and ignore other lines
I tried using
multiline.pattern with all options for negate & match. Still could not figure out.
Is there any way I can capture required info.?

adrisr · March 22, 2018, 6:43pm

You should use the include_lines option:

https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#include-lines

in this case:

 include_lines: ['^MemTotal:', '^MemFree:', '^Buffers:', '^Cached:']

Adyantha_T_S · March 23, 2018, 3:11am

But include_lines will provide info in 4 different messages. I need them in a single message.
Is it possible.?

adrisr · March 23, 2018, 2:50pm

Sorry I didn't realise you needed them in a single message.

For that you're going to resort to Logstash or an Ingest Pipeline in Elasticsearch

https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html

system · April 20, 2018, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.