SOLVED - Multi Line Help

Elastic Stack Beats
1

Team,

I have made good progress using the following pattern on a java log for filebeat as the configuration:

multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

Most of the app lines process correctly as a multiline. However, the following line which has new lines in it does. Any help/ideas welcome..

2019-04-03T19:55:28.818|INFO|ip-10-246-1-253.ec2.internal|[apps,d6d1329cd08b2edd,b8528f33d3928ba9|com.gogoair.core.filter.RequestResponseLoggingFilter.doFilter:115|Id:reidpat39_1554321328671|Thread:http-apr-8080-exec-8|Outgoing REST Response -
[TRANSACTION ID: 61ada2c4-f493-41d0-be57-2e035dd1315a-d58a1a9c-e9db-421f-ab4e-cb89f488cf8d]]
[REQUEST URI :/v1/customermanager/user/username]
[HTTP METHOD:GET]
[REQUEST PARAMETERS:{dataTypes=PERSONAL}]
[IPADDRESS :10.246.1.253, RemoteAddress :10.246.8.104, RemoteHost :10.246.8.104]
[RESPONSE BODY: {"trackingId":"id","statusCode":"200","statusMsg":"SUCCESS","userName":"username","personalData":{"emailAddress":"noreply@gmail.com","firstName":"JOE","lastName":"BLOGGS","title":"-","addressLine1":"1 YOU WISH","addressLine3":"HELLO","addressLine4":"IL","addressLine5":"US","postalCode":"11111","addressNumber":0,"updatedDate":"1899-01-01T00:00:00.000Z"}}]

Currently this comes through as different lines e.g.

[REQUEST PARAMETERS:{dataTypes=PERSONAL}]

[HTTP METHOD:GET]

2019-04-03T19:55:28.818|INFO|ip-10-246-1-253.ec2.internal|[apps,d6d1329cd08b2edd,b8528f33d3928ba9|com.gogoair.core.filter.RequestResponseLoggingFilter.doFilter:115|Id:reidpat39_1554321328671|Thread:http-apr-8080-exec-8|Outgoing REST Response -

[REQUEST URI :/v1/customermanager/user/username]

[IPADDRESS :10.246.1.253, RemoteAddress :10.246.8.104, RemoteHost :10.246.8.104]

[TRANSACTION ID: 61ada2c4-f493-41d0-be57-2e035dd1315a-d58a1a9c-e9db-421f-ab4e-cb89f488cf8d]]

[RESPONSE BODY: {"trackingId":"id","statusCode":"200","statusMsg":"SUCCESS","userName":"username","personalData":{"emailAddress":"noreply@gmail.com","firstName":"JOE","lastName":"BLOGGS","title":"-","addressLine1":"1 YOU WISH","addressLine3":"HELLO","addressLine4":"IL","addressLine5":"US","postalCode":"11111","addressNumber":0,"updatedDate":"1899-01-01T00:00:00.000Z"}}]

Objective is have this as one log line so later on grok can be applied.

Any help, ideas welcome.

Thanks

2

This issue is solved. When you use config management for files vs log prospects i found that you needed to put the multi-line value in the config file for applicable item vs in the main filebeat.yml file.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.