[Solved] Possible bug? filebeat multiline regexp


Hi again,
I have possible bug in filebeat multiline regexp pattern matching.
(note quotes) Fails with unknown escape character

(Steffen Siering) #2

YAML has some string escaping rules depending on how strings are put into the document. Personally I prefer to put regexes in single quotes like ^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+ . This is no bug per se, but how YAML file format is specified.


Thank you for explanation.

(Boris Samorodov) #4

So, then the example for the multiline option [here] (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration-details.html#multiline) (right after the phrase "Here’s an example configuration that shows the regular expression for a slightly more complex example:") should be fixed.

(Steffen Siering) #5

I think the example is right by escaping the '[' character using ''. The pattern can be rewritten to '^[' though.

(Boris Samorodov) #6

Steffen, seems that I was not strict at my message. Let me try once more. I meant not the example you think of but a little bit further one.

The topic is about double quotes and regexp patterns. You say that double quotes should be avoided at regexp patterns. The documentation (I gave the link in my previous reply) has an example with quotes. BTW, I mean the multiline pattern pattern: "^[[:space:]]+(at|...)|^Caused by:" (mind my note "right after the phrase"... at my previous message).

Boris (tried hard to be more precise. :slightly_smiling:)

(Steffen Siering) #7

I see. Have to test this one. It might work (I think we tested these before putting them into docs). If double-quotes are used in YAML other escaping rules are in place. Anyway, we should always document regex examples with single quotes so not to confuse people.

(DeDe Morton) #8

The examples in the doc have been tested, but I agree that our examples should follow our recommendations.

(system) #9