[Solved] Possible bug? filebeat multiline regexp

Hi again,
I have possible bug in filebeat multiline regexp pattern matching.
(note quotes) Fails with unknown escape character

YAML has some string escaping rules depending on how strings are put into the document. Personally I prefer to put regexes in single quotes like ^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+ . This is no bug per se, but how YAML file format is specified.

1 Like

Thank you for explanation.

So, then the example for the multiline option [here] (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration-details.html#multiline) (right after the phrase "Here’s an example configuration that shows the regular expression for a slightly more complex example:") should be fixed.

I think the example is right by escaping the '[' character using ''. The pattern can be rewritten to '^[' though.

Steffen, seems that I was not strict at my message. Let me try once more. I meant not the example you think of but a little bit further one.

The topic is about double quotes and regexp patterns. You say that double quotes should be avoided at regexp patterns. The documentation (I gave the link in my previous reply) has an example with quotes. BTW, I mean the multiline pattern pattern: "^[[:space:]]+(at|...)|^Caused by:" (mind my note "right after the phrase"... at my previous message).

Boris (tried hard to be more precise. :slightly_smiling:)

I see. Have to test this one. It might work (I think we tested these before putting them into docs). If double-quotes are used in YAML other escaping rules are in place. Anyway, we should always document regex examples with single quotes so not to confuse people.

The examples in the doc have been tested, but I agree that our examples should follow our recommendations.