0

So im trying to have filebeat send the entire log file as one event instead of every line as an event, but its not working, this is my filebeat setup:

  multiline.pattern: ^\[
   multiline.negate: true
   multiline.match: after

and this is an example of a log file that i have:

2020-02-03 16:03:25,038 INFO Initial blacklisted packages: 
2020-02-03 16:03:25,039 INFO Initial whitelisted packages: 
2020-02-03 16:03:25,039 INFO Starting unattended upgrades script

but filebeat sends every line as an event, i need to send the whole thing as one event instead of seperated.

Any idea of what im doing wrong here?

Thanks in advance for any help!

Ghaith Haddad
  • 41
  • 1
  • 4
  • `^\[` doesn't match anything in this log, so I don't think your multiline rule will kick in anywhere. Also what are you actually trying to do? You're trying to abuse Filebeat to do something it wasn't really built for, so there might be a better overall approach. – xeraa Feb 04 '20 at 09:53

1 Answers1

0

You probably don't actually want to send the whole log as one event (one record), it doesn't make much sense. If you just want to upload a whole file, check logstash file input (not filebeat). It can do it for you.

And your multiline.pattern (which will split text into events) may be like ^[0-9]{4}-[0-9]{2}-[0-9]{2}.

ILya Cyclone
  • 806
  • 6
  • 16