Hello.
I am process log files with filebeats and have come across a format that starts a multi line mess that may or may not have a character before the timestamp.
eg.
Normal: "[20170126,"
New case: "[20170126,"
I was using the pattern below and am asking for help in modifying it to understand either pattern as starting a new multiline.
multiline:
pattern: '^[[:digit:]]{4}[[:digit:]]{2}[[:digit:]]{2},'
thank you
not sure I'm missing something, but I see no difference in the Normal and the New case here. An optional match can be expressed with <term>? meaning, match zero or one time.
You're right Steffen. bad copy / paste.
Normal is [20170126,
Optional case is <feff>[20170126,.
thank you for your suggestion despite my miscommunication.
after replying and same thing happening I understand. the optional text is disappearing in entry box here. It is < f e f f > (without spaces).
You can escape code using backtick or the </> button.
Sorry, have to ask again, so the optional is <feff>[20170126,? like is <feff> just one character?
Are you using windows? This looks like an utf16 BOM flag. The BOM flag normally appears at beginning of file only. Can you share your prospectors configuration?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.