I've tried that, that's what I tried first based on the documentation (and just now again in case I was crazy).
I'm wondering if there is some other setting that is the issue here. I'm running it via
.\filebeat -once -v
to verify that it's working before I install it as a service and move it to production.
Here's a sample prospector, I have a bunch of them in my filebeat.yml. Is it fields_under_root that's causing the issue?
filebeat.prospectors:
-
input_type: log
multiline.match: after
multiline.pattern: "^2"
multiline.negate: true
paths:
- "mypath"
fields:
document_type: mytype
logsource: mylogsource
fields_under_root: true
close_eof: true