Problem with Multiline pattern in Filebeat

Hi Team,

I am trying to use multiline pattern in filebeat to append multiline code in specific log

Below is my log pattern :

04 Jul 2017 14:47:35,982  [INFO] http-bio-48080-exec-6 [AUTH]: [8548c77c-0296-4056-ade8-6f6d37c4ac8c] [login] [0:0:0:0:0:0:0:1] [aaa] [-NA-] [-NA-] [-NA-]: Response
 -- Response Details --

Below is the pattern which I have used in the filebeat multiline configuration .

multiline.pattern :  '^\[0-9]{2} \b\w+\b [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}'
multiline.negate: true
multiline.match: after

Problem : its not giving any compilation error but its not appending new line string ( i.e : -- Response Details -- )

Kindly suggest changes

Thanks

I think there is a problem with the pattern. Try using:

multiline.pattern: '^[0-9]{2} \b\w+\b [0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}'

I tested it here https://play.golang.org/p/WoDQUH6jfA

Hi Andrew,

Thanks for reply.

I have tried with your suggested pattern but still problem persist.

Kindly help to resolve.

Thanks

Hi Andrew,

I have tried to test suggested pattern in https://play.golang.org/

I have also tested it with multiline.negate : true / false both

Its showing proper output with true and false with all the lines of log.

But unfortunately its not appending in processed log.

PFA of below listed files for your reference

  1. snap of suggested pattern testing in tool :
  2. snap of fileBeat log :
  3. Log file from which log processed:


4. filebeat.yml file which I use for configuration :


Please check and let me know in case of any other information require.

Thanks

have you tried to set multiline.negate: true?

I have tried it with true and false both.

But its not working in any case.

Thanks

The multiline setting must be configured in the prospector itself. Multiline is not global, but applied per file being processed.

Next time please share your configuration files as text files. I don't really look at screenshots I can barely read + text allows me to edit the configs.

2 Likes

Hi Steffens,

Thanks for suggestion.

I have place multiline setting in prospector and its working now.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.