You are using the wrong syntax for filestream that is old log type syntax
- type: filestream
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /Users/sbrown/workspace/sample-data/discuss/filebeat-multiline/test-log-378301.log
#- c:\programdata\elasticsearch\logs\*
parsers:
- multiline:
type: pattern
pattern: '^\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} (AM|PM)'
negate: true
match: after
That worked for me results
{
"@timestamp": "2025-05-19T17:03:54.690Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.17.2"
},
"container": {
"id": "discuss"
},
"message": "2025/04/29 06:17:07 AM\nSystem.Exception: ServiceCode not found wrongservicecode.\n",
"log": {
"flags": [
"multiline"
],
"offset": 267,
"file": {
"path": "/Users/sbrown/workspace/sample-data/discuss/filebeat-multiline/test-log-378301.log",
"device_id": "16777221",
"inode": "144197757"
}
},
"input": {
"type": "filestream"
},