Hello.
I am process log files with filebeats and have come across a format that starts a multi line mess that may or may not have a character before the timestamp.
eg.
Normal: "[20170126,"
New case: "[20170126,"
I was using the pattern below and am asking for help in modifying it to understand either pattern as starting a new multiline.
multiline:
pattern: '^[[:digit:]]{4}[[:digit:]]{2}[[:digit:]]{2},'
thank you
not sure I'm missing something, but I see no difference in the Normal and the New case here. An optional match can be expressed with <term>? meaning, match zero or one time.
You're right Steffen. bad copy / paste.
Normal is [20170126,
Optional case is <feff>[20170126,.
thank you for your suggestion despite my miscommunication.
after replying and same thing happening I understand. the optional text is disappearing in entry box here. It is < f e f f > (without spaces).
You can escape code using backtick or the </> button.
Sorry, have to ask again, so the optional is <feff>[20170126,? like is <feff> just one character?
Are you using windows? This looks like an utf16 BOM flag. The BOM flag normally appears at beginning of file only. Can you share your prospectors configuration?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.