Understanding Multiline

Louuu · March 9, 2017, 1:17am

Hi,

I have started using filebeat recently and have been looking at the multiline configurations as shown in the documentation.

https://play.golang.org/p/LQpFDR34t9

According to that, my multiline regex works as expected.

However it is returning as multiple lines as shown below and ignoring the multiline pattern which I have applied

`:{"type":"radiusdetail"},"input_type":"log","message":"Thu Mar  9 00:50:48 2017","offset":2389,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tUser-Name = 'test@test.co.uk'","offset":2438,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tAcct-Status-Type = Start","offset":2464,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tAcct-Session-Id = '1184'","offset":2490,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tFramed-IP-Address = 192.168.105.1","offset":2525,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tNAS-IP-Address = 192.168.1.1","offset":2555,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tCalling-Station-Id = '192.168.1.1'","offset":2591,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tCalled-Station-Id = '192.168.1.1'","offset":2626,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tEvent-Timestamp = 'Mar  9 2017 00:50:48 GMT'","offset":2672,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tAcct-Unique-Session-Id = 'c7ef06b03b3786387596bf072db184d7'","offset":2733,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}
{"@timestamp":"2017-03-09T00:50:49.671Z","beat":{"hostname":"app.radius.local","name":"app.radius.local","version":"5.2.2"},"fields":{"type":"radiusdetail"},"input_type":"log","message":"\tTimestamp = 1489020648","offset":2757,"source":"/var/log/radius/radacct/10.122.217.4/detail-20170309","type":"log"}`

Below is my configuration file for filebeat

filebeat.prospectors:

- input_type: log


  paths:
    - /var/log/radius/radacct/*/detail-*

multiline.pattern: '^\t+.*$'
multiline.negate: false
multiline.match: after
   
fields:
   type: radiusdetail

output.file:
  path: "/tmp/filebeat"
  filename: filebeat

I really hope someone can help me with this!
Lou

andrewkroh · March 11, 2017, 5:55am

The indentation is incorrect. The multiline options are members of the prospector config so they need to be at the same level as input_type and paths.

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/radius/radacct/*/detail-*
  multiline.pattern: '^\t+.*$'
  multiline.negate: false
  multiline.match: after
  document_type: radiusdetail # You might want this option instead of using fields.

Louuu · March 13, 2017, 4:20pm

Hi Andrew,

I shall give this a try in my test environment when I am next working on this project!

Thank you!

system · April 10, 2017, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SOLVED - Multi Line Help Beats filebeat	2	378	May 14, 2019
FILEBEAT REGULAR EXPRESSION FAILING IN MULTI LINE PATTERN Beats filebeat	3	719	May 27, 2019
MultiLine Pattern Beats filebeat	4	444	July 11, 2018
Problem with Multiline pattern in Filebeat Beats filebeat	8	2638	August 3, 2017
Filebeat sets the multi-line mode, the unmatched rows are also multi-line, the match result is abnormal Beats	4	324	August 18, 2020

Understanding Multiline

Related topics