-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filebeat include_lines prior multiline #12562
Comments
I second this. example: my final document should be 10-15 lines long. But instead its over 50 lines long; most of it useless data. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Does this mean the suggestion won't be implemented? |
Pinging @elastic/agent (Team:Agent) |
@jose-caballero Not it doesn't mean that, we just closed stalled issue after a few months. We haven't prioritized this enhancement yet. |
Any alternatives to implement this? or we just end up by having lots of unwanted data in multiline. |
That is a very interesting issue. The current implementation applies the @reddybhavaniprasad a possible workaround is to use the script processor (or other processor) to clean up the event after it has been assembled by the input. It does not look like an ideal solution, but it might be doable. |
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
I'm not sure I follow it @nimarezainia . Do you mean the current implementation of Elastic-Agent or the V2? Because if the current Filebeat does not support it, then how can the Elastic-Agent influence the log processing (that's all done in Filebeat)? One idea that might work (but we need to check the feasibility) is to have |
@nimarezainia Yes, I think that would make sense too, we were doing this in logstash as a filter. If you are doing this there is a caveat that need to be handle correctly. When you move stuff outside of a plugin (function call) there is a risk that multiples events from multiples files are processed, so there is some kind of file identity or source identity that need to exist. Ie you need to have procesing be done on the same stream of events and not on all the events. I believe our processors look likes this.
The later ensure that a stream, ie all events from the same files keep their meaning and that |
@nimarezainia The other problem is you actually also need to have a |
Yes, it will become available on agent. |
I am also facing this issue. The only difference is @jose-caballero says he doesn't want to include irrelevant lines. In my case, the irrelevant data I want to exclude pushes me over an apparent line limit, and the message gets truncated, so I cannot include those irrelevant lines. If I had the option to process |
Hi! We're labeling this issue as |
Still relevant. Thanks a lot. :) |
Yes, still want to see this one fixed. |
Hi! We're labeling this issue as |
For the Filestream input it is possible to select lines before running the multiline using the Here is an example:
|
I'm closing this issue as I believe it solves the problem described. Feel free to re-open if that's not the case. |
Adding a bit more context, there was a bug in the configuration validation logic that would fail to instantiate this parser, this got fixed in |
Describe the enhancement:
Allow FileBeat to process include_lines before executing multiline patterns.
Describe a specific use case for the enhancement or feature:
Here is a real use case.
Under these circumstances, the idea solution is to let FileBeat to first filter data by using include_lines, and then merge into a single line the results, so LogStash can process all of it at once. Otherwise, LogStash requires a fairly complicate plugin coding to distinguish which line comes from each host to avoid mixing them.
The text was updated successfully, but these errors were encountered: