Hello.
I am using filebeat to push data to graylog/elasticsearch. Now i am trying to push that type of information from log file: 2016-12-05 14:07:45,399 | SUCCESS Finished executing sql (8 ms): 7ed3a851-2f36-47a5-ad12-028169d48ae4 select distinct wp.id, wp.a, wp.b, wp.c, wp.d, wp.e, wp.f, pp.g from x wp, y kp, x pp where ? between wp.dataa and wp.databb and (kp.idparam = ?) and ((pp.code = ?) or (pp.test = 1) and (select distinct count (pp.code) from a wp, b kp, c pp where (kp.id = ?) and (pp.code = ?) and (pp.idka = kp.id) and (wp.idd = pp.id) group by pp.code) IS NULL) and (pp.code = ?) and (pp.idka = kp.id) and (wp.idpr = pp.id); 2016-12-05 14:07:45,410 | INFO | 1. approach: I used include_ lines: "SUCCESS Finished executing sql \((?:\d+) ms\): (?:[^\r\n]+)\r?\n-- Nazwa wykonywanego pliku sql: (?:[^\r\n]+)\r?\n(.*?)(?:\r?\n\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d|\z" 2.approach: multiline: match: after pattern: "SUCCESS Finished executing sql" max_lines: 50 paths: - /vlogfile.log scan_frequency: 10s tail_files: false I have no idea how to catch it with regexsp. I used multilinepatern but that is not working. Could You help me how to work with that type of information in log file ? Graylog 2.1 Filebeat 5.1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a1dcd9f2-b246-4e02-9857-06ebd315bd79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.