As far as I can tell filebeat doesn’t support multiple multiline.pattern, multiline.negate, and multiline.match entries for the same log. Am I missing something? I know I can do an “OR” pattern in the multiline.pattern entry, but that doesn’t help me because I can only have a single negate and/or match entry.
Is there any method that supports grouping multiline entries based on a common unique ID (like a Thread ID/PID/etc) that gets printed on all the lines in the multiline entry?
IE, I’d like to group these four lines into 2 multi-line entries based on the “ThreadID” Value:
[01:28:07.357] ThreadID:111111 Muti-line entry 1
[01:28:07.358] ThreadID:111111 Multiline Entry 2
[01:28:07.367] ThreadID:222222 Muti-line entry 1
[01:28:07.368] ThreadID:222222 Multiline Entry 2
In my case the “ThreadID” multiline entries would all be written one right after another, and not separated by other threadID’s, which hopefully makes this easier.