Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add while pattern multiline reader to Filebeat #19662

Merged
merged 1 commit into from
Jul 31, 2020
Merged

add while pattern multiline reader to Filebeat #19662

merged 1 commit into from
Jul 31, 2020

Conversation

tufitko
Copy link
Contributor

@tufitko tufitko commented Jul 5, 2020
edited by zube bot
Loading

What does this PR do?

Added a new type for multiline reader. It combines the lines that satisfy the pattern.

Why is it important?

The current pattern reader combines lines matching the pattern + line at the beginning or at the end. So you need to know where the multiline starts (or ends), and in cases where the logs are collected from different sources, there can be many different multilines (panic, exception python ...)

I would like to configure filebeat once according to the following rule: usually, the application writes logs in the json format, in cases of exceptions it writes multiline in some format (not json) and needs to detect such multilines.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

example of Filebeat configuration:

filebeat.inputs:
  - type: log
    paths:
      - app.log
    reload.enabled: true
    multiline:
      type: 'while_pattern'
      pattern: '^{'
      negate: true
output.console:
  pretty: true

example app.log:

{}
{}
panic: some text
 some text 2
 some text 3
{}
{}

expect 5 events

Related issues

Use cases

  • Aggregate stacktraces from many different programming languages, without the need to describe each stackrace

Screenshots

Logs

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 5, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 5, 2020
edited by jenkins-beats-ci bot
Loading

💔 Tests Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [kvch commented: jenkins run tests]

  • Start Time: 2020-07-30T12:59:39.562+0000

  • Duration: 75 min 51 sec

Test stats 🧪

Test Results
Failed 14
Passed 14336
Skipped 1369
Total 15719

Test errors

Expand to view the tests failures

  • Name: Build and Test / Libbeat / Libbeat oss / TestDockerStart – docker

    • Age: 1
    • Duration: 12.04
    • Error Details: Failed

  • Name: Build and Test / Auditbeat x-pack / test_connected_udp_ipv4 – test_system_socket.Test

    • Age: 1
    • Duration: 60.034
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_connected_udp_ipv6 – test_system_socket.Test

    • Age: 1
    • Duration: 60.03
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_dns_enrichment – test_system_socket.Test

    • Age: 1
    • Duration: 60.028
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_dns_long_request – test_system_socket.Test

    • Age: 1
    • Duration: 60.03
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_dns_udp_ipv6 – test_system_socket.Test

    • Age: 1
    • Duration: 60.13
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_dns_unidirectional_udp – test_system_socket.Test

    • Age: 1
    • Duration: 60.024
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_multi_udp_upv4 – test_system_socket.Test

    • Age: 1
    • Duration: 60.12
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_no_dns_enrichment – test_system_socket.Test

    • Age: 1
    • Duration: 60.109
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_tcp_ipv4 – test_system_socket.Test

    • Age: 1
    • Duration: 60.117
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_tcp_ipv6_disabled – test_system_socket.Test

    • Age: 1
    • Duration: 60.026
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_udp_ipv4 – test_system_socket.Test

    • Age: 1
    • Duration: 60.115
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_udp_ipv6 – test_system_socket.Test

    • Age: 1
    • Duration: 60.119
    • Error Details: Expected exit code to be 0, but it was 1

  • Name: Build and Test / Auditbeat x-pack / test_udp_ipv6_disabled – test_system_socket.Test

    • Age: 1
    • Duration: 60.121
    • Error Details: Expected exit code to be 0, but it was 1

Steps errors

Expand to view the steps failures

  • Name: Mage update build test

    • Description: mage update build test

    • Duration: 20 min 37 sec

    • Start Time: 2020-07-30T13:23:55.951+0000

    • log

  • Name: Mage build test

    • Description: mage build test

    • Duration: 23 min 0 sec

    • Start Time: 2020-07-30T13:23:53.553+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-07-30T14:13:58.545Z]   inflating: /var/lib/jenkins/workspace/Beats_beats_PR-19662/bin/terraform  
[2020-07-30T14:13:58.545Z] + rm /var/lib/jenkins/workspace/Beats_beats_PR-19662/bin/terraform.zip
[2020-07-30T14:13:58.545Z] + chmod +x /var/lib/jenkins/workspace/Beats_beats_PR-19662/bin/terraform
[2020-07-30T14:13:58.904Z] + make mage
[2020-07-30T14:13:58.904Z] Installing mage v1.10.0.
[2020-07-30T14:13:59.851Z] go: downloading github.com/magefile/mage v1.10.0
[2020-07-30T14:14:01.239Z] /var/lib/jenkins/workspace/Beats_beats_PR-19662/.magefile cleaned
[2020-07-30T14:14:01.579Z] + git config --get user.email
[2020-07-30T14:14:01.579Z] + [ -z  ]
[2020-07-30T14:14:01.579Z] + git config user.email beatsmachine@users.noreply.github.com
[2020-07-30T14:14:01.579Z] + git config user.name beatsmachine
[2020-07-30T14:14:01.998Z] + .ci/scripts/terraform-cleanup.sh x-pack/metricbeat
[2020-07-30T14:14:01.998Z] + DIRECTORY=x-pack/metricbeat
[2020-07-30T14:14:01.998Z] + FAILED=0
[2020-07-30T14:14:01.998Z] ++ find x-pack/metricbeat -name terraform.tfstate
[2020-07-30T14:14:01.998Z] + exit 0
[2020-07-30T14:14:02.554Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats
[2020-07-30T14:14:02.866Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-30T14:14:02.881Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Lint
[2020-07-30T14:14:02.976Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-07-30T14:14:03.074Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Winlogbeat-oss
[2020-07-30T14:14:03.168Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-07-30T14:14:03.262Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Dockerlogbeat
[2020-07-30T14:14:03.366Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-07-30T14:14:03.462Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Journalbeat-oss
[2020-07-30T14:14:03.550Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-07-30T14:14:03.639Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Packetbeat-Linux
[2020-07-30T14:14:03.731Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-07-30T14:14:03.824Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-07-30T14:14:03.921Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Heartbeat-oss
[2020-07-30T14:14:04.020Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-07-30T14:14:04.128Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-07-30T14:14:04.224Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-07-30T14:14:04.310Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-07-30T14:14:04.396Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Libbeat-x-pack
[2020-07-30T14:14:04.482Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-30T14:14:04.566Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-07-30T14:14:04.651Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-30T14:14:04.747Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-07-30T14:14:04.828Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-07-30T14:14:04.911Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-Windows
[2020-07-30T14:14:05.007Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Heartbeat-Windows
[2020-07-30T14:14:05.098Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Packetbeat-Windows
[2020-07-30T14:14:05.182Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-07-30T14:14:05.265Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-07-30T14:14:05.351Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Functionbeat-Windows
[2020-07-30T14:14:05.439Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Libbeat-oss
[2020-07-30T14:14:05.526Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-30T14:14:05.613Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Filebeat-oss
[2020-07-30T14:14:05.702Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests
[2020-07-30T14:14:05.802Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-OSS-Python-Integration-tests
[2020-07-30T14:14:05.895Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-07-30T14:14:06.279Z] + cat
[2020-07-30T14:14:06.279Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-30T14:14:06.279Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-30T14:14:12.876Z] runbld>>> runbld started
[2020-07-30T14:14:12.876Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-30T14:14:13.819Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-19662' in order of occurrence in the config (last value wins).
[2020-07-30T14:14:15.205Z] runbld>>> Debug logging enabled.
[2020-07-30T14:14:15.205Z] runbld>>> Storing result
[2020-07-30T14:14:15.469Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-30T14:14:15.469Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200730141414-6E00CA28
[2020-07-30T14:14:15.469Z] runbld>>> Adding system facts.
[2020-07-30T14:14:16.411Z] runbld>>> Adding vcs info for the latest commit:  7eb64a062cfae57c4427600d17610af574696bb8
[2020-07-30T14:14:16.411Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-30T14:14:16.411Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-30T14:14:16.411Z] Processing JUnit reports with runbld...
[2020-07-30T14:14:16.411Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-30T14:14:16.672Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-30T14:14:16.672Z] runbld>>> DURATION: 38ms
[2020-07-30T14:14:16.672Z] runbld>>> STDOUT: 40 bytes
[2020-07-30T14:14:16.672Z] runbld>>> STDERR: 49 bytes
[2020-07-30T14:14:16.672Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-30T14:14:16.672Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats
[2020-07-30T14:14:18.062Z] runbld>>> Storing build metadata: 
[2020-07-30T14:14:18.062Z] runbld>>> Adding test report.
[2020-07-30T14:14:18.062Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats
[2020-07-30T14:14:18.634Z] runbld>>> Found 118 test output files
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-07-30T14:14:19.582Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19662/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-07-30T14:14:21.504Z] runbld>>> Test output logs contained: Errors: 0 Failures: 14 Tests: 15569 Skipped: 1133
[2020-07-30T14:14:21.504Z] runbld>>> Storing result
[2020-07-30T14:14:21.504Z] runbld>>> FAILURES: 14
[2020-07-30T14:14:24.049Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-30T14:14:24.050Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200730141414-6E00CA28
[2020-07-30T14:14:24.310Z] runbld>>> Email notification disabled by environment variable.
[2020-07-30T14:14:24.310Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-30T14:14:29.862Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-19662
[2020-07-30T14:14:29.977Z] [INFO] getVaultSecret: Getting secrets
[2020-07-30T14:14:30.043Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-30T14:14:31.072Z] + chmod 755 generate-build-data.sh
[2020-07-30T14:14:31.072Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19662/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19662/runs/5 FAILURE 4491250
[2020-07-30T14:14:31.072Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19662/runs/5/steps/?limit=10000 -o steps-info.json
[2020-07-30T14:14:32.934Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19662/runs/5/tests/?status=FAILED -o tests-errors.json
[2020-07-30T14:14:33.845Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19662/runs/5/log/ -o pipeline-log.txt

@andresrc andresrc requested a review from kvch July 6, 2020 12:40
@andresrc andresrc added the Team:Services (Deprecated) Label for the former Integrations-Services team label Jul 6, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 6, 2020
@kvch
Copy link
Contributor

kvch commented Jul 6, 2020

You mention in your PR that 5 events are expected in case of the input you have provided. Are 4 of those events empty?

@tufitko
Copy link
Contributor Author

tufitko commented Jul 6, 2020

You mention in your PR that 5 events are expected in case of the input you have provided. Are 4 of those events empty?

It's simple example: {} - this mean any random json line, instead of {} there can be any json object.
Yep, if empty events is {}

@tufitko tufitko requested a review from kvch July 7, 2020 10:35
@cla-checker-service
Copy link

cla-checker-service bot commented Jul 19, 2020
edited
Loading

💚 CLA has been signed

@kvch
Copy link
Contributor

kvch commented Jul 27, 2020

Please rebase the branch and address the minor notes.

@tufitko tufitko requested a review from kvch July 29, 2020 05:18
@kvch
Copy link
Contributor

kvch commented Jul 30, 2020

jenkins run tests

@kvch kvch merged commit 43bbf51 into elastic:master Jul 31, 2020
v1v added a commit to v1v/beats that referenced this pull request Jul 31, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-pipeli…
35b6b37 
…ne-2.0

* upstream/master:
  New multiline mode in Filebeat: while_pattern (elastic#19662)
  Allow space or time sync character before timestamp on syslog messages (elastic#13278)
  Skip TestDockerStart (elastic#20361)
  Change licence of github.com/gorhill/cronexpr to Apache (elastic#20351)
v1v added a commit to v1v/beats that referenced this pull request Aug 6, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into fix/ci-tools-inst…
6b99d98 
…allation

* upstream/master: (23 commits)
  [docs] Promote ingest management to beta (elastic#20295)
  Upgrade elasticsearch client library used in tests (elastic#20405)
  Disable logging when pulling on python integration tests (elastic#20397)
  Remove pillow from testing requirements.txt (elastic#20407)
  [Filebeat][ATP Module]Setting user agent field required by the API (elastic#20440)
  [Ingest Manager] Send datastreams fields (elastic#20402)
  Add event.ingested to all Filebeat modules (elastic#20386)
  [Elastic Agent] Fix agent control socket path to always be less than 107 characters (elastic#20426)
  Improve cgroup_regex docs with examples (elastic#20425)
  Makes `metrics` config option required in app_insights (elastic#20406)
  Ensure install scripts only install if needed (elastic#20349)
  Update container name for the azure filesets (elastic#19899)
  Group same timestamp metrics values in app_insights metricset (elastic#20403)
  add_process_metadata processor adds container id even if process metadata not accessible (elastic#19767)
  Support "cluster" scope in Metricbeat elasticsearch module (elastic#18547)
  [Filebeat][SophosXG Module] Renaming module and fileset (elastic#20396)
  Update Suricata dashboards (elastic#20394)
  [Elastic Agent] Improve version, restart, enroll CLI commands (elastic#20359)
  Prepare home directories for docker images in a different stage (elastic#20356)
  New multiline mode in Filebeat: while_pattern (elastic#19662)
  ...
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@tufitko @melchiormoulin
New multiline mode in Filebeat: while_pattern (elastic#19662)
918cc2f 
## What does this PR do?

Added a new type for multiline reader. It combines the lines that satisfy the pattern.

## Why is it important?

The current pattern reader combines lines matching the pattern + line at the beginning or at the end. So you need to know where the multiline starts (or ends), and in cases where the logs are collected from different sources, there can be many different multilines (panic, exception python ...)

I would like to configure filebeat once according to the following rule: usually, the application writes logs in the json format, in cases of exceptions it writes multiline in some format (not json) and needs to detect such multilines.

## How to test this PR locally

example of Filebeat configuration:
```
filebeat.inputs:
  - type: log
    paths:
      - app.log
    reload.enabled: true
    multiline:
      type: 'while_pattern'
      pattern: '^{'
      negate: true
output.console:
  pretty: true
```

example app.log:
```
{}
{}
panic: some text
 some text 2
 some text 3
{}
{}
```

expect 5 events


## Use cases

- Aggregate stacktraces from many different programming languages, without the need to describe each stackrace
@zube zube bot removed the [zube]: Done label Oct 30, 2020
@asazallesmilner
Copy link

@tufitko Would you happen to know if this while_pattern works/doesn't work with the new filestream input? i have it configured with the example you provided and i'm getting nothing from filebeat since I switched to while_pattern....?

@tufitko
Copy link
Contributor Author

tufitko commented Feb 15, 2023
edited
Loading

@asazallesmilner hm, I need some research. I'll come back to you later.

@tufitko
Copy link
Contributor Author

tufitko commented Feb 15, 2023

@asazallesmilner also, can you show me your config?

@asazallesmilner
Copy link

asazallesmilner commented Feb 15, 2023
edited
Loading

filebeat.inputs:

  • type: filestream
    id: my-filestream-id
    enabled: true
    paths:
    • /home/azalles/repos/scratch/ecs/ecs*.log
      parsers:
    • ndjson:
      target: ""
      message_key: message
      overwrite_keys: true
      expand_keys: true
    • multiline:
      type: while_pattern
      pattern: '^{'
      negate: true
      #match: after
      #timeout: 5s
      #max_lines: 500

Note: i don't know how to get this to display right when i'm not editing it, but i'm pretty sure i have the indentation correct.

@tufitko
Copy link
Contributor Author

tufitko commented Feb 15, 2023

@asazallesmilner I didn't find any problem with while_pattern logic, did you try running without it?
also, did you inspect debug logs of filebeat? it's helpful.
I see some cases when ndjson sends empty lines

beats/libbeat/reader/readjson/json.go

Line 88 in 47fe3c3

if !ok {

Sorry, but I'm totally out of context, so more information is necessary

@tufitko
Copy link
Contributor Author

tufitko commented Feb 15, 2023

and samples of logs is helpful too :)

@asazallesmilner
Copy link

debug logs show absolutely nothing of interest
and it just doesn't send ANYTHING from the moment I change it to while pattern.
so I suspect it does not having anything to do with the log file
I attached the Filebeat config and a sample log
I think I have the exact same need you did when you created this, everything is supposed to be JSON, anything that is not JSON i want to make multiline to handle whatever language the app might have been in, and not have the stack dump addend to the previous JSON (which is what is happening with the regular pattern)

small.log.sample.txt
filebeat.config.txt

When I was using the regular pattern it sent just fine, minus the multiline not handling the where multiline got applied.

@asazallesmilner
Copy link

I found my issue. I Assumed that since this PR was done so long ago, it would be in the code for version 7.17 of Filebeat. I just noticed I was wrong and this only appears in the docs for 8.0+ Sorry about that. THANK YOU for looking into it!!!!!

@tufitko
Copy link
Contributor Author

tufitko commented Feb 16, 2023

@asazallesmilner oh, Okey! No problem :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kvch kvch kvch approved these changes

Assignees
No one assigned
Labels
Team:Services (Deprecated) Label for the former Integrations-Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tufitko @elasticmachine @kvch @asazallesmilner @andresrc