Hello all,
We are having difficulties setting up a multiline pattern that must be triggered whenever xml data is found in the event.
We are facing the following problem.. If we set the timestamp as an multi-line pattern ( in our case pattern => "^%{TIMESTAMP_ISO8601} ) all single-line and multi-line events will be classified as multi-line and gets processed oke, but when we try to narrow it down by including an xml tag to eg: "^%{TIMESTAMP_ISO8601}.<?xml" or "^%{TIMESTAMP_ISO8601}.<?xml" the output gets completely messed up and inserts single-line events into multi-line events. Or it just breaks the multi-line events into separate events.
Log example: https://pastebin.com/x7Dg1Aki
Logstash output example: https://pastebin.com/CD0t4qvx
Logstash conf example: https://pastebin.com/Ag74fuBs
Hopefully somebody can advice us un this subject!