Problems using multiline configurations

hello guys!
I would like to ask a question about multi-line merging. I tried to test using the example provided by the official, but it didn't work.This is the link : Manage multiline messages | Filebeat Reference [8.3] | Elastic .

屏幕截图 2022-07-19 1611121144×688 56.6 KB

I'll provide my runtime and configuration files:

• ENV: docker
• filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/sleuthlog/*.log

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

output.console:
   pretty: true
   enable: true

Obviously, the console printed logs are not merged:

屏幕截图 2022-07-19 1615221002×301 48.9 KB

屏幕截图 2022-07-19 1615401042×330 53.6 KB

Looking forward to your reply, this is very important to me Thank you!

Sorry , I forgot the filbeat version : 7.5.1

There were many code changes since version 7.5.1. Have you tried to use the latest filebeat version?

Have you tried place the multiline like example below ?
because yaml files are very sensitive

- type: log
  enabled: true
  paths:
    - "path/to/monitor"
  multiline.type: pattern
  multiline.pattern: '^\['
  multiline.negate: true
  multiline.match: after

I have tried the solution that you said, it works well, thanks!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.