{"id":57,"date":"2019-02-11T19:24:22","date_gmt":"2019-02-11T18:24:22","guid":{"rendered":"https:\/\/camilomatajira.wordpress.com\/?p=57"},"modified":"2025-06-10T18:37:14","modified_gmt":"2025-06-10T18:37:14","slug":"how-to-make-filebeat-include_lines-work","status":"publish","type":"post","link":"https:\/\/camilo.matajira.com\/?p=57","title":{"rendered":"How to make Filebeat&#8217;s include_lines work!"},"content":{"rendered":"<p>The key to make include_lines work is to understand that (1) Filebeat uses its own set of regular expressions and (2) you should match the whole line.<\/p>\n<p>Regarding Filebeat&#8217;s own regular expressions you can go <a href=\"https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/current\/regexp-support.html\">here<\/a> . To test if your regular expressions work you can try them out <a href=\"https:\/\/regexr.com\/\">here<\/a>. Beware, you should match the whole line! (if you use regexr.com make sure that the whole line that you are testing is highlighted.<\/p>\n<p>For example, in a big message queue, I am interested only in the log lines that contain the word &#8220;apache&#8221;. The Filebeat.yml for this requirement would be like this:<\/p>\n<p>filebeat.inputs:<br \/>\n&#8211; type: log<br \/>\npaths:<br \/>\n&#8211; &#8216;\/usr\/share\/filebeat\/my_logs\/rsyslog_log\/messages&#8217;<br \/>\ninclude_lines: [&#8216;.<em>apache.<\/em>&#8216;]<br \/>\noutput.logstash:<br \/>\nhosts: [&#8216;localhost:5044&#8217;]<br \/>\ntimeout: 30s<\/p>\n<p>It is important to mention that, if you use include_lines: [&#8216;apache&#8217;] it won&#8217;t work!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The key to make include_lines work is to understand that (1) Filebeat uses its own set of regular expressions and (2) you should match the whole line. Regarding Filebeat&#8217;s own regular expressions you can go here . To test if your regular expressions work you can try them out here. Beware, you should match the&#8230;<\/p>\n","protected":false},"author":2,"featured_media":215,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[12,26,31,32,35],"class_list":["post-57","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-debugging","tag-apache","tag-debugging","tag-elasticsearch","tag-elk","tag-filebeat"],"_links":{"self":[{"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/posts\/57","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=57"}],"version-history":[{"count":1,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":545,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/posts\/57\/revisions\/545"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=\/wp\/v2\/media\/215"}],"wp:attachment":[{"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/camilo.matajira.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}