Problems using multiline configurations

Hkh9966 · July 19, 2022, 8:17am

hello guys!
I would like to ask a question about multi-line merging. I tried to test using the example provided by the official, but it didn't work.This is the link : Manage multiline messages | Filebeat Reference [8.3] | Elastic .

I'll provide my runtime and configuration files:

ENV: docker
filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/sleuthlog/*.log

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

output.console:
   pretty: true
   enable: true

Obviously, the console printed logs are not merged:

Looking forward to your reply, this is very important to me Thank you!

Hkh9966 · July 19, 2022, 8:24am

Sorry , I forgot the filbeat version : 7.5.1

mtojek · July 19, 2022, 10:02am

There were many code changes since version 7.5.1. Have you tried to use the latest filebeat version?

lzold_z · July 20, 2022, 7:43am

Have you tried place the multiline like example below ?
because yaml files are very sensitive

- type: log
  enabled: true
  paths:
    - "path/to/monitor"
  multiline.type: pattern
  multiline.pattern: '^\['
  multiline.negate: true
  multiline.match: after

Hkh9966 · July 20, 2022, 8:06am

I have tried the solution that you said, it works well, thanks!!

system · August 17, 2022, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.