Add field multiline under multiline filebeat/logstash

alex_vermex · February 21, 2022, 2:21pm

Hi,
I would like to know if I can add a field if I find a word in the message but with just a block of lines.
log file example:

2022-01-01 17:27:56   - Starting d........
2022-12-22 17:27:59   - Run.....
.
.
2022-01-01 17:28:12   - request in format is =>
000000: 04 77 02 76 40 11 33 3......  | MS7.12121212
.
.
002040: 20 20 20 14 14 14 .......   | 0035SOAA   
2022-01-01 17:28:52   - testing timeout
2022-01-01 17:28:54   - timeout in format is =>
000116: 02 53 13 46 45 ......  | S?9.212121
.
.
002040: 20 20 20 14 14 14 .......   | 0035SOAA
2022-01-01 17:29:32   - end

filebeat.yml

multiline.type: pattern
multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sStarting'
multiline.negate: true
multiline.match: after
multiline.max_lines: 140

I want to add a field when i found "format" in message with multiline value when i found date
I hope you understand me.

Any help would be sincerely appreciate!
Thanks!

alex_vermex · February 22, 2022, 1:53pm

I tried to solve it with the grok filter:

if ("format" in [message]) {
        grok { match => { "message" => "(?<format>^\d{6}:[^(\r\n)]*(\n)^\d{6}:[^(\r\n)]*(\n))"    }}
    }

but it gives me the first line so i want this whole block of lines sometimes i have 20 lines so it's a bad idea to keep writing with regular expressions and sometimes just 5 lines...
a solution please?

Thanks.

system · March 22, 2022, 1:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.