I have several applications that generate logs in txt and log format and needed to send all the information to Kibana, I was able to send these logs but sending each line of the file in an event. I would like to send all log lines in just one event, example of application log format:

16/09/2021 14:32:37 - [ INFO ] - Lendo arquivo de configuração
16/09/2021 14:32:38 - [ INFO ] - UID de Execução: d6649885-37f1-4f98-ba86-c23289fbad25
16/09/2021 14:32:41 - [ INFO ] - Iniciando extração de arquivo .RAR...
16/09/2021 14:32:42 - [ ERROR ] - Erro de execução: System.ArgumentException: File does not exist: C:\Users\07.903007\Desktop\Base 2\arquivo rar\BaseII_cbss_16092021.rar
   at SharpCompress.Archives.AbstractArchive`2..ctor(ArchiveType type, FileInfo fileInfo, ReaderOptions readerOptions)
   at SharpCompress.Archives.Rar.RarArchive..ctor(FileInfo fileInfo, ReaderOptions options)
   at SharpCompress.Archives.Rar.RarArchive.Open(String filePath, ReaderOptions options)
   at BaseII.Program.Main(String[] args) in C:\Users\07.903007\Desktop\teste\legacyautomation\BaseII\Program.cs:line 45

I would like to send all the log lines in just one event, is this possible?

CodePudding user response：

You can specify the multiline option in your filbeat.yml config under filebeat.inputs section.

Example config:

multiline.type: pattern
multiline.pattern: '^\dd/dd/dddd'
multiline.negate: true
multiline.match: after

That setup ensures that Filebeat takes all the lines that do not start with a date and combines them with the previous line that does.

The pattern is simply a regular expression.

If that's Java stack trace you can go even with this one, which is looking for a whitespace characters:

multiline.type: pattern
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after