problems with parsing multiline

[SergeyParamoshkin]

Hi. I have a problem, I use a multiline parsing with this configuration.

multiline:
        pattern: ^\[
        negate: true
        match: after

but when parsing ambari-agent

INFO 2016-06-08 10:11:08,241 Controller.py:265 - Heartbeat response received (id = 131593)
INFO 2016-06-08 10:11:08,241 ActionQueue.py:100 - Adding STATUS_COMMAND for component METRICS_MONITOR of service AMBARI_METRICS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,336 ActionQueue.py:100 - Adding STATUS_COMMAND for component HBASE_REGIONSERVER of service HBASE of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,421 ActionQueue.py:100 - Adding STATUS_COMMAND for component DATANODE of service HDFS of cluster rnd_dwh to the queue.
INFO 2016-06-08 10:11:08,467 ActionQueue.py:100 - Adding STATUS_COMMAND for component NODEMANAGER of service YARN of cluster rnd_dwh to the queue.

it all turns out the same message in logstash.

This is a bug? or am I wrong tune filebeat

system configuration filebeat version 1.2.2 (amd64) Red Hat Enterprise Linux Server release 6.7 (Santiago)

[ruflin]

I'm not sure why the above pattern should match your lines above as there is no [ inside? BTW: I assume you are using filebeat.

For questions please use https://discuss.elastic.co/c/beats/filebeat We will request you to open an Github issue in case we can confirm the bug. Closing this issue but please open a discuss topic here: https://discuss.elastic.co/c/beats/filebeat

BTW: I strongly recommend to use 1.2.3 as 1.2.2 as a bug in the registry.