Filebeat: multiline: introduce merge by using max-lines as condition instead of pattern #18038
Comments
botelastic
bot
added
the
needs_team
andresrc
added
[zube]: Inbox
Team:Services
|
Pinging @elastic/integrations-services (Team:Services) |
botelastic
bot
removed
the
needs_team
andresrc
added
enhancement
needs_team
botelastic
bot
removed
the
needs_team
andresrc
changed the title
|
I am not sure I completely understand your request. Is If you configure |
Thanks for investigating this topic. The kind |
In theory you could use the pattern as well but in practice i would expect that it just reads every N lines into a single event from a file, so we could remove/hard-code the other parameters as that would make the usage clearer and simpler. |
|
I have opened this PR to add a new mode to multiline reader to aggregate N lines: #18352 With the following configuration you can aggregate 5 lines and parse the JSON: filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
multiline.type: count
multiline.lines_count: 5
processors:
- decode_json_fields:
fields: ["message"]
target: ""
overwrite_keys: trueDoes this solve your problem? |
|
Thanks for your PR. I like your improvement |
I introduced a new option because
I am not sure why it does not fit your use case. Could you please share a few example logs so I can understand it? |
I will test it first and in case it fails I will give you some examples. I created in my own space a changelist that contains an implementation with less changes. My changelist is based on this changelist so comparing should be straight-forward. It does reuse the current implementation of multiline so in case that is not preferred the implementation of this PR can be used. I also fixed the go-test and python-test. |
|
Your approach leads to a smaller changeset. However, I do not want to add more complexity to the already pretty complicated pattern-based matcher of the multiline reader. So I would rather go with my own solution. I hope that is fine with you. :) I am looking forward to seeing the results of your tests. |
Absolutely. I will test and let you know the results when I have some time. |
|
Hi, I tested your change and the concatenating of the lines works fine. Thanks. As expected does the json-decoder fail. This is caused by the fact that the lines are concatenated with a and the filebeat.yml: As the extension |
|
I added a new option |
#18352) ## What does this PR do? This PR adds a new mode for the multiline reader of Libbeat (exposed in Filebeat). The new mode lets users to aggregate the configured number of lines into a single event. Example configuration to aggregate 5 lines: ```yaml muliline.type: count multiline.count_lines: 5 ``` This PR also adds a new configuration option `skip_newline`. If set, Filebeat does not add a newline when two events are concatenated. Closes #18038
elastic#18352) ## What does this PR do? This PR adds a new mode for the multiline reader of Libbeat (exposed in Filebeat). The new mode lets users to aggregate the configured number of lines into a single event. Example configuration to aggregate 5 lines: ```yaml muliline.type: count multiline.count_lines: 5 ``` This PR also adds a new configuration option `skip_newline`. If set, Filebeat does not add a newline when two events are concatenated. Closes elastic#18038 (cherry picked from commit e3f51ab)
…ate constant number of lines (#19243) * Add new mode to multiline reader to aggregate constant number of lines (#18352) ## What does this PR do? This PR adds a new mode for the multiline reader of Libbeat (exposed in Filebeat). The new mode lets users to aggregate the configured number of lines into a single event. Example configuration to aggregate 5 lines: ```yaml muliline.type: count multiline.count_lines: 5 ``` This PR also adds a new configuration option `skip_newline`. If set, Filebeat does not add a newline when two events are concatenated. Closes #18038 (cherry picked from commit e3f51ab)
|
Thanks all. I just integrated filebeat 7.9.x version (which contains this change) in our system and it works like a charm. Thanks again. |
elastic#18352) ## What does this PR do? This PR adds a new mode for the multiline reader of Libbeat (exposed in Filebeat). The new mode lets users to aggregate the configured number of lines into a single event. Example configuration to aggregate 5 lines: ```yaml muliline.type: count multiline.count_lines: 5 ``` This PR also adds a new configuration option `skip_newline`. If set, Filebeat does not add a newline when two events are concatenated. Closes elastic#18038
Describe the enhancement:
Once in a while people like to merge messages into a single line not based on a pattern but based on the number of lines that have to be merged. This may be caused by not having a clear usable pattern or by just wanting to reduce the number of lines in a message by combining several. There are situations that it may also be handy to combine the lines into a JSON-array that can be used by other applications.
I propose to introduce an extra multiline parameter
kindthat distinguishes this behavior. Of course all the other parameters are still valid so in theory you can combine thepatternand themax_linesparameters. Although in practice I do not expect that.The values of the
kindparameter would be<<empty>>(default and current implementation),merge, andmerge-json, wheremerge-jsonwill combine the messages in a JSON-array.Describe a specific use case for the enhancement or feature:
It is when you know the number of lines of an event but there is no clear pattern.
Per example someone has dumped a database table one field per line. In that case you know the number of lines for a row (= number of columns) but creating a pattern for that may be hard. In this situation the configuration can be as follows:
where 13 is the number of columns in a row. This will create a single event for a single row. In case you would choose
merge-jsonthey would be combined in one JSON-array.Another use-case is that someone just want to group a set of events that are similar. Per example the application is creating a lot of events and you want to put them in buckets of 300 each so that you can handle such group as a single event. In that case the configuration can be as follows:
A side-effect of the
mergeandmerge-jsonoptions are that there are no lines discarded.The text was updated successfully, but these errors were encountered: