Problem with filebeat, it does not process multiline correctly

San9 · February 29, 2024, 9:59am

Hello.
I have a problem setting up the filebeat agnet.
The logs consist of several lines and I would like to send them as one message.
I prepared the config, but for some reason it doesn’t work. tell me what the problem is?
When writing a regular expression, I used https://regex101.com. Everything looks good there, but the messages are still coming in the wrong form.

Parsing example

Part of the config from filebeat 8.12.1

- type: filestream
  id: cc-vapp-oracle-attention
  tags: ["oracle-attention"]
  enabled: true
  ignore_older: 24h
  paths:
       - /opt/oracle/diag/rdbms/xe/XE/trace/attention_XE_Test*.log
  parsers:
    - multiline:
       type: pattern
       pattern: '^{'
       negate: true
       match: after
       flush_pattern: '^}'

and

- type: filestream
  id: cc-vapp-oracle-attention
  tags: ["oracle-attention"]
  enabled: true
  ignore_older: 24h
  paths:
       - /opt/oracle/diag/rdbms/xe/XE/trace/attention_XE_Test*.log
  parsers:
    - multiline:
       type: pattern
       pattern: ^\n[[:graph:]]\n  "NOTIFICATION"'
       negate: true
       match: after
       flush_pattern: '^}'

example log:

{
  "NOTIFICATION" : "Starting ORACLE instance (normal) (OS id: 30427)",
  "URGENCY"      : "INFO",
  "INFO"         : "Additional Information Not Available",
  "CAUSE"        : "A command to startup the instance was executed",
  "ACTION"       : "Check alert log for progress and completion of command",
  "CLASS"        : "CDB Instance / CDB ADMINISTRATOR / AL-1000",
  "TIME"         : "2022-11-12T04:45:47.265+02:00"
}

{
  "NOTIFICATION" : "Shutting down ORACLE instance (immediate) (OS id: 30720)",
  "URGENCY"      : "INFO",
  "INFO"         : "Shutdown is initiated by sqlplus (TNS V1-V3). ",
  "CAUSE"        : "A command to shutdown the instance was executed",
  "ACTION"       : "Check alert log for progress and completion of command",
  "CLASS"        : "CDB Instance / CDB ADMINISTRATOR / AL-1001",
  "TIME"         : "2022-11-12T04:46:53.327+02:00"
}

{
  "NOTIFICATION" : "Starting ORACLE instance (normal) (OS id: 30723)",
  "URGENCY"      : "INFO",
  "INFO"         : "Additional Information Not Available",
  "CAUSE"        : "A command to startup the instance was executed",
  "ACTION"       : "Check alert log for progress and completion of command",
  "CLASS"        : "CDB Instance / CDB ADMINISTRATOR / AL-1000",
  "TIME"         : "2022-11-12T04:46:54.258+02:00"
}

ahmed_charafouddine · February 29, 2024, 10:58am

Hello @San9

I tested the configuration below and it works fine.

- type: filestream
  id: my-filestream-id
  enabled: true
  paths:
    - example.txt
  parsers:
  - multiline:
      type: pattern
      pattern: '^\{'
      negate: true
      match: after

system · March 28, 2024, 10:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline logs are not working using filebeat Beats filebeat	1	510	November 19, 2021
Multiline Filebeat Beats filebeat	5	548	May 1, 2019
Multi-line Filebeat templates don't work with filebeat.inputs - type: filestream Beats filebeat	2	2833	December 9, 2021
Filebeats multiline pattern help Beats filebeat	2	687	September 17, 2018
SOLVED - Multi Line Help Beats filebeat	2	378	May 14, 2019

Problem with filebeat, it does not process multiline correctly

Related topics