Merge lines in filebeat + logstash

1
votes

We had successfully set up the ELK stack to our production environment. We can also see the logs (logs are unstructured) output on our Kibana Server.

Everything is working fine for us. But the only thing we are concerned about is the messages in the kibana are structured for every single line written to a given log file.

Question:

So, is there a way to merge(clubbing of lines) the logs messages by max no of lines(in File beat before sending them to logstash or elastic search) which will be consider as 1 event in ElasticSearch / Kibana / Logstash.

Note: Just a note the log messages are unstructured (no particular regex pattern in them). So can't use this. But I did tried the max-lines approach, yet the event in kibana shows a document for a single lines.

Example.

If my logs (the log files) has entry like this 

Sending ... 0 .. 2016-02-17 13:20:13 +0530 
Sending ... 1 .. 2016-02-17 13:20:13 +0530 
Sending ... 2 .. 2016-02-17 13:20:14 +0530 
Sending ... 3 .. 2016-02-17 13:20:14 +0530 
Sending ... 4 .. 2016-02-17 13:20:14 +0530 
Sending ... 5 .. 2016-02-17 13:20:15 +0530 
Sending ... 6 .. 2016-02-17 13:20:15 +0530 
Sending ... 7 .. 2016-02-17 13:20:16 +0530 
Sending ... 8 .. 2016-02-17 13:20:16 +0530 
Sending ... 9 .. 2016-02-17 13:20:16 +0530 
Sending ... 10 .. 2016-02-17 13:20:17 +0530 
Sending ... 11 .. 2016-02-17 13:20:17 +0530 
Sending ... 12 .. 2016-02-17 13:20:18 +0530 
Sending ... 13 .. 2016-02-17 13:20:18 +0530 
Sending ... 14 .. 2016-02-17 13:20:18 +0530 
Sending ... 15 .. 2016-02-17 13:20:19 +0530 
Sending ... 16 .. 2016-02-17 13:20:19 +0530 
Sending ... 17 .. 2016-02-17 13:20:20 +0530 
Sending ... 18 .. 2016-02-17 13:20:20 +0530 
Sending ... 19 .. 2016-02-17 13:20:20 +0530 
Sending ... 20 .. 2016-02-17 13:20:21 +0530 
Sending ... 21 .. 2016-02-17 13:20:21 +0530 
Sending ... 22 .. 2016-02-17 13:20:22 +0530 
Sending ... 23 .. 2016-02-17 13:20:22 +0530 
Sending ... 24 .. 2016-02-17 13:20:22 +0530 
Sending ... 25 .. 2016-02-17 13:20:23 +0530 
Sending ... 26 .. 2016-02-17 13:20:23 +0530 
Sending ... 27 .. 2016-02-17 13:20:24 +0530 
Sending ... 28 .. 2016-02-17 13:20:24 +0530 
Sending ... 29 .. 2016-02-17 13:20:24 +0530 
Sending ... 30 .. 2016-02-17 13:20:25 +0530 
Sending ... 31 .. 2016-02-17 13:20:25 +0530 
Sending ... 32 .. 2016-02-17 13:20:26 +0530 
Sending ... 33 .. 2016-02-17 13:20:26 +0530 
Sending ... 34 .. 2016-02-17 13:20:26 +0530 
Sending ... 35 .. 2016-02-17 13:20:27 +0530 
Sending ... 36 .. 2016-02-17 13:20:27 +0530 
Sending ... 37 .. 2016-02-17 13:20:28 +0530 
Sending ... 38 .. 2016-02-17 13:20:28 +0530 
Sending ... 39 .. 2016-02-17 13:20:29 +0530 
Sending ... 40 .. 2016-02-17 13:20:29 +0530 
Sending ... 41 .. 2016-02-17 13:20:30 +0530

I want File beat to group them (better word merge them)

(example : a configuration in filebeat that would merge them.)

So the eventually the event that get sent to the logstash/elastic should look like this

1 event (with message as ..)

Sending ... 0 .. 2016-02-17 13:20:13 +0530 
Sending ... 1 .. 2016-02-17 13:20:13 +0530 
Sending ... 2 .. 2016-02-17 13:20:14 +0530 
Sending ... 3 .. 2016-02-17 13:20:14 +0530 
Sending ... 4 .. 2016-02-17 13:20:14 +0530 
Sending ... 5 .. 2016-02-17 13:20:15 +0530 
Sending ... 6 .. 2016-02-17 13:20:15 +0530 
Sending ... 7 .. 2016-02-17 13:20:16 +0530 
Sending ... 8 .. 2016-02-17 13:20:16 +0530 
Sending ... 9 .. 2016-02-17 13:20:16 +0530 
Sending ... 10 .. 2016-02-17 13:20:17 +0530 
Sending ... 11 .. 2016-02-17 13:20:17 +0530 
Sending ... 12 .. 2016-02-17 13:20:18 +0530 
Sending ... 13 .. 2016-02-17 13:20:18 +0530 
Sending ... 14 .. 2016-02-17 13:20:18 +0530 
Sending ... 15 .. 2016-02-17 13:20:19 +0530

2 event (with message as .. ) 

Sending ... 16 .. 2016-02-17 13:20:19 +0530 
Sending ... 17 .. 2016-02-17 13:20:20 +0530 
Sending ... 18 .. 2016-02-17 13:20:20 +0530 
Sending ... 19 .. 2016-02-17 13:20:20 +0530 
Sending ... 20 .. 2016-02-17 13:20:21 +0530 
Sending ... 21 .. 2016-02-17 13:20:21 +0530 
Sending ... 22 .. 2016-02-17 13:20:22 +0530 
Sending ... 23 .. 2016-02-17 13:20:22 +0530 
Sending ... 24 .. 2016-02-17 13:20:22 +0530 
Sending ... 25 .. 2016-02-17 13:20:23 +0530 
Sending ... 26 .. 2016-02-17 13:20:23 +0530 
Sending ... 27 .. 2016-02-17 13:20:24 +0530 
Sending ... 28 .. 2016-02-17 13:20:24 +0530 
Sending ... 29 .. 2016-02-17 13:20:24 +0530 
Sending ... 30 .. 2016-02-17 13:20:25 +0530 
Sending ... 31 .. 2016-02-17 13:20:25 +0530 
Sending ... 32 .. 2016-02-17 13:20:26 +0530

And so on ...

But unfortunately it just create a event for each line. See the attached screenshot.

enter image description here

Here how my Filebeat config look like this (once again can't use regex since the log are generally unstructured the given logs above is just for example.)

Thought ?

Note: File beat version 1.1.0

1
elasticsearchlogstashkibanafilebeat
You should probably show some sample log lines and the resulting document you'd like to get. Also you should show what you've already tried with the multiline codec (i.e. how you configured logstash)Val
@Val Edited the question.Viren

1 Answers

2
votes

You're using the max_lines of filebeat multiline for the wrong purpose.

The max_lines is used to make sure Elasticsearch/Logstash the multiline events get flushed (Filebeat documentation).

This means that when you set your max_lines to 5 for example. And you have a multiline event of 7 lines. Filebeat will only send the first 5 lines afterwards it will flush its memory of the multiline event and starts sending the second event.

At this moment what and the way you want to do is impossible with Filebeat 1.1.0. You can always post a sample of your logfiles that shows the irregularity of your logfiles maybe we all together can find a pattern (Github issue).

On the other hand why do you want to do this?