Trouble getting multiline working

vchav73 · May 24, 2016, 4:11pm

I have this in a log file:

2016-05-24 08:39:14 18083 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.6.29-76.2-log'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Percona Server (GPL), Release 76.2, Revision ddf26fe
2016-05-24 08:43:46 18083 [Note] /usr/sbin/mysqld: Normal shutdown

The second line belongs to the event started on the first line. I'm using this filebeat config:

filebeat:
  prospectors:
    -
      paths:
        - /var/log/mysql/error.log
      multiline:
        pattern: '[[:digit:]][[:digit:]][[:digit:]][[:digit:]]'
        negate: true
        match: after
      input_type: log
      document_type: mysql-error

When I look at the results in Elasticsearch I don't get what I expected. There are three events, one for each line. What I expected was that the second line will have been concatenated to the first line. Is this not what the multiline option is supposed to do?

steffens · May 24, 2016, 9:01pm

your pattern basically says: find me 4 consecutive digits per line. The second line contains port number 3306 and will match.

Use the ^ operator at beginning of your regex. This changes your pattern to: find me 4 consecutive digits at beginning of line.

You can shorten the pattern into ^[0-9]{4}.

vchav73 · May 24, 2016, 10:25pm

Your suggestion did the trick. Thanks!