Add field problem logstash

alex_vermex · February 22, 2022, 8:18am

Hi,
I would like to know if I can add field if I find a word in the message but under a block of lines.
filebeat.yml:

  multiline.type: pattern
  multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sStarting'
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 140

So my message now contains multilines sometimes so can i add fied if i found "id alex" for example?

2022-01-01 17:17:13   - id alex =>00011223344556677

I want to add fied id alex with value "00011223344556677"
i dont know if there is any solution to this if not there is another methode to do this ?

alex_vermex · February 22, 2022, 10:18am

ok i did it with grok but i when i have another value in another line in the same message i mean like this:

2022-01-01 17:17:13   - id alex =>00011223344556677
2022-01-01 17:18:15   - number =>00335566221144

i did this but didnt work, when i tried in dev tools Grok debugger it works:

filter {
    if ("id alex" in [message] and "number" in [message]) {
        grok { match => { "message" => "(?<id>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sid\salex\sis\s\S{2}*)(\r\n|\r|\n)(?<number>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\snumber\sis\s\S{2}*)
" } }
    }

I would like to know what is the problem. because I don't get any error.

Any help would be sincerely appreciate!
Thanks!

system · March 22, 2022, 10:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add field multiline under multiline filebeat/logstash Logstash	2	464	March 22, 2022
Add_field with value from message Logstash	1	296	March 21, 2022
Add fields with same format but different value problem with grok logstash Logstash	2	294	March 23, 2022
Multiline is not getting added to the "tag" field Beats filebeat	4	673	August 30, 2018
Add new document using logstash Logstash	3	230	September 8, 2022

Add field problem logstash

Related topics