Problems with parsing multiline

SergeyParamoshkin · June 8, 2016, 8:30am

Hi. I have a problem, I use a multiline parsing with this configuration.

multiline:
        pattern: ^\[
        negate: true
        match: after

INFO 2016-06-08 10:11:08,241 Controller.py:265 - Heartbeat response received (id = 131593)
INFO 2016-06-08 10:11:08,241 ActionQueue.py:100 - Adding STATUS_COMMAND for component METRICS_MONITOR of service AMBARI_METRICS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,336 ActionQueue.py:100 - Adding STATUS_COMMAND for component HBASE_REGIONSERVER of service HBASE of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,421 ActionQueue.py:100 - Adding STATUS_COMMAND for component DATANODE of service HDFS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,467 ActionQueue.py:100 - Adding STATUS_COMMAND for component NODEMANAGER of service YARN of cluster rnd_dwh to the queue.

it all turns out the same message in logstash.

This is a bug? or am I wrong tune filebeat

system configuration
filebeat version 1.2.3 (amd64)
Red Hat Enterprise Linux Server release 6.7 (Santiago)

steffens · June 8, 2016, 11:25am

why did you set negate: true? Having negate: true all lines not matching the pattern will be merged. For example run this test script: https://play.golang.org/p/qtELnY1Q73

You can use the script to test some sample logs including multiline events (highly recommended). All lines starting with true will be merged into an multiline event.

magnusbaeck · June 12, 2016, 11:16am

Why is your pattern ^\[? None of the lines you've posted start with a square bracket.

system · June 29, 2016, 8:30am

This topic was automatically closed after 21 days. New replies are no longer allowed.