A multilne message - how to deal with?

Hello !
I am in complete stuck in some dealing with Logstash.
There is a non-structured information gotten from one source , divided by \n char
I cut it out in input section into set of messages with the multiline codec .
So I get the information before filtering looks like it :

message: "Block1"
message: " Attribut1:Value1"
message: " Attribut2:Value2"
message: " Attribut3:Value3"
message: "\r"
message: "Block2"
message: " Attribut12:Value11"
message: " Attribut23:Value21"
message: " Attribut33:Value34"
message: "\r"

I'd like to merge that messages into something similar to

message: {Block1:["Attribut1:Value1" ," Attribut2:Value2"," Attribut3:Value3" ]}
message: {Block2:["Attribut12:Value11" ," Attribut23:Value21"," Attribut33:Value34" ]}

but I am not able to find a way how to do it properly. Neither aggregate nor grok seems to me could play in my case. Wouldn't you be so kind to show me how to deal with it ?

It is not clear what your message looks like, but if it is

   "message" => "Block1\n Attribut1:Value1\n Attribut2:Value2\n Attribut3:Value3\n\r\nBlock2\n Attribut12:Value11\n Attribut23:Value21\n Attribut33:Value34\n\r",

then

    mutate { split => { "message" => "^M" } }
    split { field => "message" }
    mutate { gsub => [ "message", "^\n", "" ] }
    mutate { split => { "message" => "
" } }
    ruby {
        code => '
            message = event.get("message")
            name = message.shift(1).to_s.gsub(/\"/, "")
            event.set(name, message)
        '
    }

will get you two events, the second one with

    "Block2" => [
    [0] " Attribut12:Value11",
    [1] " Attribut23:Value21",
    [2] " Attribut33:Value34"
],

Thank You a LOT !

It is a decision I have been looking for !

Yes, sure , my raw message looks like you've described , so yes, it could be changed without applying multiline in input. That is the trick.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.