Problems with parsing multiline

Hi. I have a problem, I use a multiline parsing with this configuration.

multiline:
        pattern: ^\[
        negate: true
        match: after

INFO 2016-06-08 10:11:08,241 Controller.py:265 - Heartbeat response received (id = 131593)
INFO 2016-06-08 10:11:08,241 ActionQueue.py:100 - Adding STATUS_COMMAND for component METRICS_MONITOR of service AMBARI_METRICS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,336 ActionQueue.py:100 - Adding STATUS_COMMAND for component HBASE_REGIONSERVER of service HBASE of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,421 ActionQueue.py:100 - Adding STATUS_COMMAND for component DATANODE of service HDFS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,467 ActionQueue.py:100 - Adding STATUS_COMMAND for component NODEMANAGER of service YARN of cluster rnd_dwh to the queue.

it all turns out the same message in logstash.

This is a bug? or am I wrong tune filebeat

system configuration
filebeat version 1.2.3 (amd64)
Red Hat Enterprise Linux Server release 6.7 (Santiago)

why did you set negate: true? Having negate: true all lines not matching the pattern will be merged. For example run this test script: https://play.golang.org/p/qtELnY1Q73

You can use the script to test some sample logs including multiline events (highly recommended). All lines starting with true will be merged into an multiline event.

Why is your pattern ^\[? None of the lines you've posted start with a square bracket.

This topic was automatically closed after 21 days. New replies are no longer allowed.