I have used ELK for displaying my middleware logs in kibana. for that I am using multiline patterns which mentioned below, after those logs displaying seperatly like separate expandable. How to display those logs as a single file ? as a single expandable ? Because last couple of weeks I stucked in the same problem.
Pattern I used:
multiline.pattern: '^\?'
multiline.negate: true
multiline.match: after
multiline.max_lines: 100000
Logs:
04:02:22,878 DEBUG [org.jboss.modules] (main) Module org.jboss.dmr:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxxx))
04:02:22,885 DEBUG [org.jboss.modules] (main) Module org.jboss.as.core-security:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx)
04:02:22,887 DEBUG [org.jboss.modules] (main) Module org.jboss.as.core-security-api:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx))
04:02:22,894 DEBUG [org.jboss.modules] (main) Module org.jboss.as.domain-management:main defined by local module loader @42f30e0a (finder: local module finder @24273305 (roots: xxxxx))
The above pattern will sync all the logs as single expandable. Suppose If anything added newly then It creates as separate expandable. That is expected behaviour from Kibana.