Using Filebeat's Multiline to combine 2 lines only

cbril · February 6, 2019, 10:40pm

I have a log with an interesting format where it has a timestamp on one line and then the message on the next line. I am trying to use Filebeat's multiline to combine the line with the timestamp and the following line with the message into one event.

The timestamp looks like this:
Wed Jan 30 10:35:51 2019

My Filebeat has these options:
multiline.pattern: '^\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}'
multiline.negate: false
multiline.match: before

At run time, there are no multiline events in the index, and in fact there are no events that match the timestamp pattern being sent at all (is it tossing them out?). I suspect that multiline only works with 2 or more lines matching the pattern, but documentation doesn't state this.

pierhugues · February 7, 2019, 1:20pm

Hello, Looking at your regexp I think its is correct, but you should use the

multiline.negate: true
multiline.match: after

In our documentation we have a nice table that give information about the behavior of the different flags and options I always refer to it.

cbril · February 11, 2019, 5:05pm

Thank you very much for your response. I suspect this setting will group all log events between timestamps into their own event, i.e.

Mon Feb 11 09:03:42 2019
Line 1
Line 2
Line 3
Mon Feb 11 10:42:11 2019
Line 4
Line 5

Would be shipped as two events:
Mon Feb 11 09:03:42 2019 \nLine 1 \nLine 2 \nLine 3
Mon Feb 11 10:42:11 2019 \nLine 4 \nLine 5

system · March 11, 2019, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.