From 750a05a91344554d62431dd48df43be0bcf5c3e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:08:32 +0100 Subject: [PATCH 01/10] Add parsers to filestream reference configuration --- .../config/filebeat.inputs.reference.yml.tmpl | 95 +++++++++++++++++++ filebeat/filebeat.reference.yml | 95 +++++++++++++++++++ x-pack/filebeat/filebeat.reference.yml | 95 +++++++++++++++++++ 3 files changed, 285 insertions(+) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 010e5e36e2fd..52a2b476be90 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -293,6 +293,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied top level in the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under pattern should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 90d614545dc1..b8c5fac0dde3 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -700,6 +700,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied top level in the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under pattern should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index becffd39a6b1..3bcbfc0117a2 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2759,6 +2759,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied top level in the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under pattern should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more the max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy From 2b51b9ebd466c66f40cb1fcc9d4c26821da2fda0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:44:25 +0100 Subject: [PATCH 02/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 52a2b476be90..e50f568b1047 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -306,7 +306,7 @@ filebeat.inputs: #message_key: # By default, the decoded JSON is placed under a "json" key in the output document. - # If you enable this setting, the keys are copied top level in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. #keys_under_root: false # If keys_under_root and this setting are enabled, then the values from the decoded From 91f4c2477bdb015d6aecd8f4ef941cd6bcc55982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:44:35 +0100 Subject: [PATCH 03/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index e50f568b1047..c067153aaf7a 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -319,7 +319,7 @@ filebeat.inputs: # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. #expand_keys: false - # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON # unmarshaling errors or when a text key is defined in the configuration but cannot # be used. #add_error_key: false From 082dacb80a6236a940fffa1a8d0ab8ec4392645b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:44:45 +0100 Subject: [PATCH 04/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index c067153aaf7a..797f8b68e392 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -301,7 +301,7 @@ filebeat.inputs: #- ndjson: # Decode JSON options. Enable this if your logs are structured in JSON. # JSON key on which to apply the line filtering and multiline settings. This key - # must be top level and its value must be string, otherwise it is ignored. If + # must be top level and its value must be a string, otherwise it is ignored. If # no text key is defined, the line filtering and multiline features cannot be used. #message_key: From dea3d96933e951f13ecc1c489a1b05830197b5f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:45:02 +0100 Subject: [PATCH 05/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 797f8b68e392..6d95d9138819 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -335,7 +335,7 @@ filebeat.inputs: # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #pattern: ^\[ - # Defines if the pattern set under pattern should be negated or not. Default is false. + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. #negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern From a333371b72f6681c6583875a128dc1998d8bd978 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:45:07 +0100 Subject: [PATCH 06/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 6d95d9138819..6376c55500e1 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -340,7 +340,7 @@ filebeat.inputs: # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. - # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash #match: after # The maximum number of lines that are combined to one event. From 096ce007a5179b5aa53b15f2bba84a8493585505 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:45:12 +0100 Subject: [PATCH 07/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 6376c55500e1..8382dd7dbf29 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -344,7 +344,7 @@ filebeat.inputs: #match: after # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500 From 3131a899f1e97f85a19cf0cab145bbf17a1e7742 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:45:18 +0100 Subject: [PATCH 08/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 8382dd7dbf29..324920ed7792 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -348,7 +348,7 @@ filebeat.inputs: # Default is 500 #max_lines: 500 - # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event # Default is 5s. #timeout: 5s From 97fb0a717496d2b5c3aaccbeba5ee8aa384e76ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:45:24 +0100 Subject: [PATCH 09/10] Update filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl Co-authored-by: Denis Rechkunov --- filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index 324920ed7792..c1e5fd55d720 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -365,7 +365,7 @@ filebeat.inputs: #count_lines: 3 # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500 From 429ae2e0dea9d870274a117ddc14d0eb7aa1e211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 22 Feb 2022 13:47:01 +0100 Subject: [PATCH 10/10] update reference --- filebeat/filebeat.reference.yml | 16 ++++++++-------- x-pack/filebeat/filebeat.reference.yml | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index b8c5fac0dde3..67765b0f6d09 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -708,12 +708,12 @@ filebeat.inputs: #- ndjson: # Decode JSON options. Enable this if your logs are structured in JSON. # JSON key on which to apply the line filtering and multiline settings. This key - # must be top level and its value must be string, otherwise it is ignored. If + # must be top level and its value must be a string, otherwise it is ignored. If # no text key is defined, the line filtering and multiline features cannot be used. #message_key: # By default, the decoded JSON is placed under a "json" key in the output document. - # If you enable this setting, the keys are copied top level in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. #keys_under_root: false # If keys_under_root and this setting are enabled, then the values from the decoded @@ -726,7 +726,7 @@ filebeat.inputs: # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. #expand_keys: false - # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON # unmarshaling errors or when a text key is defined in the configuration but cannot # be used. #add_error_key: false @@ -742,20 +742,20 @@ filebeat.inputs: # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #pattern: ^\[ - # Defines if the pattern set under pattern should be negated or not. Default is false. + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. #negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. - # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash #match: after # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500 - # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event # Default is 5s. #timeout: 5s @@ -772,7 +772,7 @@ filebeat.inputs: #count_lines: 3 # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500 diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 3bcbfc0117a2..5cfa51f4a6af 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2767,12 +2767,12 @@ filebeat.inputs: #- ndjson: # Decode JSON options. Enable this if your logs are structured in JSON. # JSON key on which to apply the line filtering and multiline settings. This key - # must be top level and its value must be string, otherwise it is ignored. If + # must be top level and its value must be a string, otherwise it is ignored. If # no text key is defined, the line filtering and multiline features cannot be used. #message_key: # By default, the decoded JSON is placed under a "json" key in the output document. - # If you enable this setting, the keys are copied top level in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. #keys_under_root: false # If keys_under_root and this setting are enabled, then the values from the decoded @@ -2785,7 +2785,7 @@ filebeat.inputs: # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. #expand_keys: false - # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON # unmarshaling errors or when a text key is defined in the configuration but cannot # be used. #add_error_key: false @@ -2801,20 +2801,20 @@ filebeat.inputs: # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #pattern: ^\[ - # Defines if the pattern set under pattern should be negated or not. Default is false. + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. #negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. - # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash #match: after # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500 - # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event # Default is 5s. #timeout: 5s @@ -2831,7 +2831,7 @@ filebeat.inputs: #count_lines: 3 # The maximum number of lines that are combined to one event. - # In case there are more the max_lines the additional lines are discarded. + # In case there are more than max_lines the additional lines are discarded. # Default is 500 #max_lines: 500