A multilne message - how to deal with?

awer1967 · April 6, 2021, 7:30pm

Hello !
I am in complete stuck in some dealing with Logstash.
There is a non-structured information gotten from one source , divided by \n char
I cut it out in input section into set of messages with the multiline codec .
So I get the information before filtering looks like it :

message: "Block1"
message: " Attribut1:Value1"
message: " Attribut2:Value2"
message: " Attribut3:Value3"
message: "\r"
message: "Block2"
message: " Attribut12:Value11"
message: " Attribut23:Value21"
message: " Attribut33:Value34"
message: "\r"

I'd like to merge that messages into something similar to

message: {Block1:["Attribut1:Value1" ," Attribut2:Value2"," Attribut3:Value3" ]}
message: {Block2:["Attribut12:Value11" ," Attribut23:Value21"," Attribut33:Value34" ]}

but I am not able to find a way how to do it properly. Neither aggregate nor grok seems to me could play in my case. Wouldn't you be so kind to show me how to deal with it ?

Badger · April 7, 2021, 3:49am

It is not clear what your message looks like, but if it is

   "message" => "Block1\n Attribut1:Value1\n Attribut2:Value2\n Attribut3:Value3\n\r\nBlock2\n Attribut12:Value11\n Attribut23:Value21\n Attribut33:Value34\n\r",

then

    mutate { split => { "message" => "^M" } }
    split { field => "message" }
    mutate { gsub => [ "message", "^\n", "" ] }
    mutate { split => { "message" => "
" } }
    ruby {
        code => '
            message = event.get("message")
            name = message.shift(1).to_s.gsub(/\"/, "")
            event.set(name, message)
        '
    }

will get you two events, the second one with

    "Block2" => [
    [0] " Attribut12:Value11",
    [1] " Attribut23:Value21",
    [2] " Attribut33:Value34"
],

awer1967 · April 7, 2021, 3:53am

Thank You a LOT !

It is a decision I have been looking for !

Yes, sure , my raw message looks like you've described , so yes, it could be changed without applying multiline in input. That is the trick.