beats
beats copied to clipboard
elastic
[Filebeat] AWS CloudWatch Input add multiline support
Mirroring request for S3 multiline input, https://github.com/elastic/beats/issues/23350
Describe the enhancement: At the moment Filebeat AWS CloudWatch Input doesn't offer multiline support
Describe a specific use case for the enhancement or feature: In AWS Cloudwatch streaming to SQS there might are occasions for log files that hold multiline log lines like for instance AWS Hadoop or other Java products.
We currently have AWS SQS logs in Cloudwatch that need multiline processing in order to get into ELK pipeline.
https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-s3.html https://github.com/elastic/beats/blob/master/x-pack/filebeat/input/s3/config.go#L12 Would it be possible to add multiline support please like there exist for logs input already?? https://www.elastic.co/guide/en/beats/filebeat/master/multiline-examples.html https://github.com/elastic/beats/blob/master/filebeat/input/log/config.go#L34 https://github.com/elastic/beats/blob/master/filebeat/input/log/config.go#L70
Is there any workaround at least for this? I tried using logstash multiline codec but it refuses to work when filebeat is the input. So, no multiline in filebeat input, no multiline in logstash. I'm not sure how to workaround this one
Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello! is there a solution? Problem is the continuation line beguns with timestamp ...
