Multipleline pattern not working

yagami23 · March 29, 2019, 1:46am

Hi, i would like to separate the log below in to 2 event , but the multiple line pattern fails to do that, any help appreciated

[2019-03-28T20:16:55.092-05:00] [soa_server2] [NOTIFICATION] [oracle.integration.platform.blocks.soap] [tid: [ACTIVE].ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: febf7231-0951-4764-bb80-10c2a15ff1f2-00cd1871,1:279692] [APP: soa-infra] [oracle.soa.tracking.FlowId: 37703369] [oracle.soa.tracking.InstanceId: 221175315] [oracle.soa.tracking.SCAEntityId: 170048] [composite_name: Async_Invoke_Import_Model!1.7] [FlowId: 0000Mb71McV2VO8TNiQ5Se1SZWCT000qY9] Comparing endpoint port 8001 against system enabled HTTP/HTTPS port..
[2019-03-28T20:16:55.092-05:00] [soa_server2] [NOTIFICATION] [oracle.integration.platform.blocks] [tid: [ACTIVE].ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: febf7231-0951-4764-bb80-10c2a15ff1f2-00cd1871,1:279692] [APP: soa-infra] [oracle.soa.tracking.FlowId: 37703369] [oracle.soa.tracking.InstanceId: 221175315] [oracle.soa.tracking.SCAEntityId: 170048] [composite_name: Async_Invoke_Import_Model!1.7] [FlowId: 0000Mb71McV2VO8TNiQ5Se1SZWCT000qY9] HTTPS server URL retrieved from platform provider is null

This is my pattern setting, for date format in the log [2019-03-28T20:16:55.092-05:00] :

multiline.pattern: '^['
multiline.negate: true
multiline.match: after

i tried with the patterns below also not working:
^[
^[d{4}-
^[[0-9]{4}-[0-9]{2}-[[:alpha:]]{5}:[0-9]{2}:[0-9]{2}.[0-9]{3}-[0-9]{2}:[0-9]{2}]
^[[0-9]{4}-[0-9]{2}-[0-9A-Za-z]{5}:[0-9]{2}:[0-9]{2}.[0-9]{3}-[0-9]{2}:[0-9]{2}]

kvch · March 29, 2019, 11:33am

The patterns you have shared, should be working. Could you please share your full configuration and format it using </>?

yagami23 · April 1, 2019, 12:59am

i using Filebeat 6.5.4, below is my filebeat content:

=============================
filebeat.inputs:
-type: log
enabled: true
paths:
-/opt/apps/weblogic/soa_prod_server/user_projects/domains/soa_prod_domain/servers/bam_server2/logs/bam_server2-diagnostic.log

multiline.pattern: '^[[0-9]{4}-[0-9]{2}-[[:alpha:]]{5}:[0-9]{2}:[0-9]{2}.[0-9]{3}-[0-9]{2}:[0-9]{2}]'
multiline.negate: true
multiline.match: after
exclude_files: ['.gz$', '.zip$', '.tar$' , '.tgz$' , '.lck$', 'bz2$']
fields:
env: prod
tail_files: true
tags: ["websys","weblogic"]

setup.kibana:

output.logstash:
hosts: ["abc1:5044","def2:5044","ghi3:5044"]
loadbalance: true

logging.level: info
logging.to_files: true
logging.files:
path: /opt/apps/filebeat/logs
name: filebeat-logs
keepfiles: 7

processors:

add_host_metadata: ~
add_cloud_metadata: ~

yagami23 · April 2, 2019, 12:26am

issue resolve by add in "+"

^\ [+[0-9]{4}-[0-9]{2}-[[:alpha:]]{5}:[0-9]{2}:[0-9]{2}.[0-9]{3}-[0-9]{2}:[0-9]{2}]

system · April 30, 2019, 12:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.