Provide an indication that a line is a multiline. #957

incogniro · 2016-02-10T12:50:17Z

When a multiline is processed and shipped by Filebeat, add to 'tags' an indicator. This is to mimic the behaviour the logstash multiline filter performs by adding 'multiline' to tags.
Originally reported on the discuss forum.

ruflin · 2016-03-16T08:03:17Z

I was having a quick look on this on how we could implement it. It is a little bit more complicated as I thought as the reader is completely decoupled from the event creation. One solution could be to add a Info() method to the LineProcessor interface. This would then return the type of the last line read.

Instead of using a tag I would suggest to add a multiline field which as content has the number of lines which were combined. Like this we directly have some additional meta information.

alpha-centauri · 2016-04-15T13:46:10Z

+1 for the idea of adding a multiline field with the number of lines

This allows to indicate if an event was multiline or not. The number of lines will be put under the multiline namespace and looks as following: ``` { ... "message": "[2015] hello world\n First Line\n Second Line", "multiline": { "lines": 3 }, ... } ``` See elastic#957 = Refactor fields handling with readers Each reader can add fields to the message object. The reader itself should always add data under its own namespace to prevent conflicts. All these fields are then added to the Data object. This will allow each reader in the future to add its own data if needed. The JSON reader was simplified in the way that data by default is written under the `json` namespace. Now no special fields have to be passed for JSON and the processing can still happen on the event level. Further refactoring to the JSON processing should happen in an other PR as event is probably not the right place to happen, as also the JSON config should not be part of it.

This allows to indicate if an event was multiline or not. The number of lines will be put under the multiline namespace and looks as following: ``` { ... "message": "[2015] hello world\n First Line\n Second Line", "multiline": { "lines": 3 }, ... } ``` See elastic#957

Closes elastic#957

@timestamp

…s. (#7997) Add "multiline" tag to "log.status" if the event contains multiple lines. This way users can filter for multiline messages using "multiline" in [log.status]. Example event { "@timestamp": "2018-08-17T11:35:21.813Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "source": "/home/n/test.log", "offset": 0, "log": { "status": [ "multiline" ], }, "message": "[test line\ntest line]", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" }, "host": { "name": "sleipnir" } } Closes #957

@timestamp

…s. (elastic#7997) Add "multiline" tag to "log.status" if the event contains multiple lines. This way users can filter for multiline messages using "multiline" in [log.status]. Example event { "@timestamp": "2018-08-17T11:35:21.813Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "source": "/home/n/test.log", "offset": 0, "log": { "status": [ "multiline" ], }, "message": "[test line\ntest line]", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" }, "host": { "name": "sleipnir" } } Closes elastic#957 (cherry picked from commit 6da83e8)

@timestamp

…s. (#7997) (#8207) Add "multiline" tag to "log.status" if the event contains multiple lines. This way users can filter for multiline messages using "multiline" in [log.status]. Example event { "@timestamp": "2018-08-17T11:35:21.813Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "source": "/home/n/test.log", "offset": 0, "log": { "status": [ "multiline" ], }, "message": "[test line\ntest line]", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" }, "host": { "name": "sleipnir" } } Closes #957 (cherry picked from commit 6da83e8)

andrewkroh added enhancement Filebeat Filebeat labels Mar 9, 2016

ruflin mentioned this issue Aug 16, 2016

Add line number counter for multiline #2279

Closed

urso assigned kvch Aug 16, 2018

kvch mentioned this issue Aug 17, 2018

Add tag "multiline" to "log.flags" if event consists of multiple lines. #7997

Merged

kvch added a commit to kvch/beats that referenced this issue Aug 30, 2018

add log.multiline if message consists of multiple lines

6e822b3

Closes elastic#957

kvch closed this as completed in #7997 Aug 31, 2018

kvch mentioned this issue Sep 3, 2018

Cherry-pick #7997 to 6.x: Add tag "multiline" to "log.flags" if event consists of multiple lines. #8207

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Provide an indication that a line is a multiline. #957

Provide an indication that a line is a multiline. #957

incogniro commented Feb 10, 2016

ruflin commented Mar 16, 2016 •

edited

Loading

alpha-centauri commented Apr 15, 2016

Provide an indication that a line is a multiline. #957

Provide an indication that a line is a multiline. #957

Comments

incogniro commented Feb 10, 2016

ruflin commented Mar 16, 2016 • edited Loading

alpha-centauri commented Apr 15, 2016

ruflin commented Mar 16, 2016 •

edited

Loading