Shipping whole file as message?

MarcusCaepio · July 26, 2017, 9:57am

Hello everyone,

I am kindly new to ELK and now I want to ship the content of a whole file as message into logstash and elastic.
So as I have different files, each file should be a single event with all its content as message. I know that I have to use multiline in the filebeat prospector. But I don't know how to set multiline.pattern, mutliline.negate, multiline.match. The message should be in the correct order, meaning first line of the file should be also first line in the message. Can somebody please give me a hint?

Thanks in advance!

josephjohney · July 27, 2017, 6:18am

Try using the file input plugin in logstash file input plugin

ogauchard · July 27, 2017, 3:03pm

You can do it with filebeat and multiline if you can easily identify the last line of you file.

Try to configure the multiline pattern to detect the last line.

You can test the pattern and negate behavior with the Go Playground described here: https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html#_testing_your_regexp_pattern_for_multiline

MarcusCaepio · July 28, 2017, 4:26am

I guess I have a solution.
I don't have to detect the last line. Seems for me, that filebeat detects it itself. Only have to be sure to start at first line and put everything on it.
filebeat.yml

filebeat.prospectors: 
- input_type: log
      paths:
        - /X/Y/*/*
      multiline.pattern: ' \A.*'
      multiline.negate: true
      multiline.match: after
      tags: ["my-tag"]

system · August 25, 2017, 4:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.