Hi Guys,
I'm trying to push oracle alert.log to es,like this:
alert log->filebeat->logstash->elasticsearch
alert log format like blow:
Sun Mar 19 16:55:27 2017
DBRM started with pid=7, OS id=21297
Sun Mar 19 16:58:33 2017
DIA0 started with pid=8, OS id=21299
I configured below multiline pattern in filebeat.yml (filebeat 5.6.4):
multiline.pattern: '^[A-Z]{1}[a-z]{2} [A-Z]{1}[a-z]{2} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4}'
multiline.negate: true
multiline.match: after
but the first message missed "Sun" letters,the second message is normal,I don't know why, anybody could help me? thanks.
C:\Users\Administrator\Desktop\filebeat-5.6.4-windows-x86_64>filebeat.exe
{
"@timestamp": "2017-12-06T11:14:16.604Z",
"beat": {
"hostname": "TESTAP01",
"name": "TESTAP01",
"version": "5.6.4"
},
"fields": {
"oracle_sid": "TESTDB"
},
"input_type": "log",
"message": " Mar 19 16:55:27 2017\nDBRM started with pid=7, OS id=21297 ", #"Sun" is missed
"offset": 1092,
"source": "c:\alert_TESTDB.log",
"type": "oraclealertlog"
}
{
"@timestamp": "2017-12-06T11:14:16.604Z",
"beat": {
"hostname": "TESTAP01",
"name": "TESTAP01",
"version": "5.6.4"
},
"fields": {
"oracle_sid": "TESTDB"
},
"input_type": "log",
"message": "Sun Mar 19 16:58:33 2017\nDIA0 started with pid=8, OS id=21299 \n
n\n",
"offset": 1158,
"source": "c:\alert_TESTDB.log",
"type": "oraclealertlog"
}