This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 56.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Hi,
I'm currently using Azure Monitor Agent (AMA) and Data Collection Rules (DCR) to ingest custom logs into a Log Analytics workspace. According to Azure Monitor Documentation, it's possible to configure multiline log collection by using timestamp instead of End-of-Line in the DCR.
Here's my configuration:
However, despite this configuration, I'm still seeing the logs ingested as multiple separate records instead of one consolidated log message.
Is there something I'm missing in the DCR or AMA setup to ensure proper multiline log aggregation?
Any insights or help would be highly appreciated.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Verify that the timestamp format specified in your DCR matches the format used in your log files. This is critical, as the DCR uses timestamps to determine where each new log entry begins.
The Record Delimiter should be set to TimeStamp, which is currently the only supported value for identifying the start of new log records based on timestamps.
Please confirm that your log files are structured consistently and include well-formatted timestamps. If the DCR cannot correctly recognize the timestamp at the beginning of each log entry, it may be unable to process or consolidate the logs properly.
If your logs contain multiline entries (e.g., stack traces or extended messages), make sure the multiline logging feature is enabled in your configuration. This setting allows Azure to group related lines into a single log entry for accurate ingestion.
Kindly let us know if the above helps or you need further assistance on this issue.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Hi Pranay,
I have verified that the timestamp format specified in my DCR matches the format used in my log files. You may see the screenshot I have attached in the question.
I used the sample logs given in Azure Monitor Documentation for testing purposes, and it is still ingesting multiple logs instead of consolidating the logs.
How do I enable multiline entries in my configuration? I have Record Delimiter set to TimeStamp already.
Thanks
Hi Pranay,I have verified that the timestamp format specified in my DCR matches the format used in my log files. You may see the screenshot I have attached in the question.
I used the sample logs given in Azure Monitor Documentation for testing purposes, and it is still ingesting multiple logs instead of consolidating the logs.
How do I enable multiline entries in my configuration? I have Record Delimiter set to TimeStamp already.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 87%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Hello Alexander Ramdayal,
It looks like you've set the Record Delimiter to TimeStamp, which is the right approach for time-based log aggregation. To make sure multiline logs are properly grouped together, you'll need to enable the multiline feature in your DCR.
You’ll want to set multiline.enabled to true and define regular expressions for beginRegex and endRegex to mark where each multiline log starts and ends
Thanks for your response. How do I set multiline.enabled to true in my DCR? Does this only work with Monitor container/Container Insights? As I'm using Azure Monitor Agent to ingest the logs into a Log Analytics workspace table.
Hello Alexander Ramdayal , I will test your configuration requirement in my test environment and get back to you with all relevant step in detail
Hi @Mallikarjuna Vardham , really appreciate the help.
Here's a quick update, after updating the Azure Monitor Agent (AMA), the record delimiter with Timestamp is working normally now.
Thanks all for information and help!