-1

I have used ELK for displaying my middleware logs in kibana. for that I am using multiline patterns which mentioned below, after those logs displaying seperatly like separate expandable. How to display those logs as a single file ? as a single expandable ? Because last couple of weeks I stucked in the same problem.

Pattern I used:

 multiline.pattern: '^\?'
 multiline.negate: true
 multiline.match: after
 multiline.max_lines: 100000

Logs:

04:02:22,878 DEBUG [org.jboss.modules] (main) Module org.jboss.dmr:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxxx))
04:02:22,885 DEBUG [org.jboss.modules] (main) Module org.jboss.as.core-security:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx)
04:02:22,887 DEBUG [org.jboss.modules] (main) Module org.jboss.as.core-security-api:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx))
04:02:22,894 DEBUG [org.jboss.modules] (main) Module org.jboss.as.domain-management:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx))
Shankar
  • 199
  • 1
  • 2
  • 14
  • You need to clarify how do you want to compile your single event and how you want your index to be. – Yu Watanabe Oct 05 '17 at 10:51
  • Initially all the logs have been synced as a single expandable. After the newly created logs synced as seperatly. My guess It is the behavior of the ELK. – Shankar Oct 06 '17 at 06:24

1 Answers1

0
 multiline.pattern: '^\?'
 multiline.negate: true
 multiline.match: after
 multiline.max_lines: 100000

The above pattern will sync all the logs as single expandable. Suppose If anything added newly then It creates as separate expandable. That is expected behaviour from Kibana.

Shankar
  • 199
  • 1
  • 2
  • 14