Multiline logs are logs that span multiple lines. For instance, if you have a Java stack trace, the log will typically start with a timestamp with an error message and then the stack trace will follow. If you ship those logs with a standard shipping method, every line within the log will then create a new log entry within Kibana and it will be difficult to read and understand the log.
To have your multiline logs properly indexed into Elasticsearch and displayed properly within Kibana, you must ship the logs using a shipper that supports multiline logs. What this means is that within the shipper, you can tell the shipper how to identify when a log begins and ends -- and then the shipper will send the full log to Logz.io as a single entry.
Many log shippers support multiline logs and every shipper works differently, but we recommend using Filebeat for multiline log shipping. Filebeat can be installed on Linux, Mac, and Windows; it ships logs using TLS encryption; it can compress the logs for shipping; and it handles multiline logs well. You can check our Log Shipping instructions for instructions on installing and configuring Filebeat.
To configure filebeat to ship multiline logs, add the multiline option to the relevant prospector within your Filebeat configuration file.
NOTE: Filebeat supports a subset of the regular expression syntax. Check here to see which regular expressions are supported.