Add multiline.flush_pattern option

[TheoAndersen]

This allows for specifying a regex, which will flush the current multiline, thus ending the current multiline. Useful for using multiline to capture application events with 'start' and 'end' lines.

Example configuration
multiline.pattern: 'start'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'end'

(#3964)

[elasticmachine]

Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run.

[elasticmachine]

Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run.

[TheoAndersen]

I have signed the CLA now.. can somebody trigger it to check again? :)

[TheoAndersen]

ahhr... need to run it through gofmt... will fix and amend

[ruflin]

@TheoAndersen Thanks a lot for the contribution. I' m thinking if we should have a separate config option for start and end/flush pattern so we don't mix it with the other configs. The part I worry is that "misconfiguration" of all together could lead to strange side effects.

At the same time the implementation looks rather simple you did

multiline.start_pattern:
multiline.end_pattern:

[TheoAndersen]

@ruflin Thanks for the comments.

This PR is just the addition of the extra optional parameter flush_pattern, so i don't think it will affect existing configurations, unless you actively use this configuration.

One thing i have found though, is that the way i use this multiline configuration will force everything to be gathered into events - wheres i really just wanted to merge specific lines (matched with a start and end pattern) into a single event - and leave the rest as they are.

Ex if you have a log like this

Line 1
Line 2
Line 3 - Some event starts
Line 4 - Content of event
Line 5 - End of event
Line 6
Line 7

and use a configuration like this

multiline.pattern: 'Some event starts'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End of event'

then it will create 3 events.

• one with line 1 to 2 merged
• one with 3 to 5 (the one i really only wanted merged)
• one with line 6 to 7

Where i really only wanted line 3 to 5 merged.

I'm not sure if this is possible to do, by continuing to hack or add on the current multiline implementation? using the multiline.negate: true will kindof make multiline try to merge all lines in the log wont it?

Do you have any suggestions for this?

Also i would ideally like to be able to specify multiple start-end patterns, if there was multiple kinds of events in there (but this could be done by piping in the regular expression i guess).

[ruflin]

I feel like this PR is a good kick of to discuss how we should extend multiline and which use cases it should covered. Unfortunately the initial design doc is now in the filebeat repo which we made private to not have people opening issues there all the time. But in summary there are 2 things in there which we haven't implemented yet:

• Support for multiple patterns instead of just one
• Start / End patterns

What you implemented here is kind of the end pattern, but I agree with you that I would also expect the behaviour that one event for each line is sent, if no start pattern is started.

The initial implementation was done based on some example logs from java stack traces to json logs etc. I would suggest we proceed like this and having directly some real world examples that we want to work on. Perhaps what you did above is already all we need as the other format is more a theoretical one, but not sure.

One of the suggestion from the "old" issue looks as following:

# Enable mutline feature
multiline:
  # See description of start_pattern. Can be used alone and in combination with end_pattern
  start_pattern: regexp
  start_pattern_negate: bool

  # See description of end_pattern. Can be used alone and in combination with start_pattern
  end_pattern: regexp
  end_pattern_negate: bool

  # See description of after_pattern. Can only be used alone
  after_pattern: regexp
  after_pattern_negate: bool

  # See description of before_pattern. Can only be used alone
  before_pattern: regexp
  before_pattern_negate: true

This can probably be expressed in more compact way.

[ruflin]

We quickly discussed this internally and decided to move forward with this and add more feature to multiline at a later stage. This already solves lots of potential use cases.

I suggest we add a few system-tests to the mix (check tests/system/test_multiline.py) to make sure the behaviour is exactly as expected.

Could you also add a changelog entry?

[ruflin]

We should not overwrite an existing test but add a new one.

[TheoAndersen]

This should have added the missing test, and the changelog

[ruflin]

Thanks. I left you two minor comments.

[ruflin]

this line should be removed.

[ruflin]

could you add one more test where first there are lines which do not match the pattern EventStart?

[TheoAndersen]

Can anybody help me with this build-error?

Can't seem to figure it out ( @ruflin? )

[ruflin]

@TheoAndersen Bad timing. There was one commit today which was merged into master and was failing and you exactly got that one :-( Can you rebase on top of master and run make update and make fmt on the top beats level?

[TheoAndersen]

Thats how it goes. Trying again :)

[ruflin]

jenkins, test it

[TheoAndersen]

Was that just thinking out loud, or does jenkins actually parse these comments?

if so..

Jenkins, test faster ;o)

[ruflin]

Yes, jenkins parses the comments, but there are only a few and not all users can trigger the events ;-)

[ruflin]

Sorry to bug you again, but this seems to have been messed up during rebasing. Unfortunately happens from time to time :-(

[ruflin]

All good from my side and ready to merge as soon as changelog is updated.

[TheoAndersen]

Updated changelog

[ruflin]

@TheoAndersen Merged. Thanks a lot for this contribution.

[ppf2]

The changelog indicates that this feature is available in 5.3.0 and above.

https://github.com/elastic/beats/blob/master/CHANGELOG.asciidoc#beats-version-530

But the actual code does not appear until 6.0. Should we fix the changelog? @ruflin

[ruflin]

@ppf2 It definitively seems like this changelog ended up in the completely wrong place.

@monicasarbu @tsg What should we do here as I remember our CHANGELOG is also in some release etc. I assume it's not solved by just removing it in 5.x.