Add field problem logstash

alex_vermex · February 22, 2022, 8:18am

Hi,
I would like to know if I can add field if I find a word in the message but under a block of lines.
filebeat.yml:

  multiline.type: pattern
  multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sStarting'
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 140

So my message now contains multilines sometimes so can i add fied if i found "id alex" for example?

2022-01-01 17:17:13   - id alex =>00011223344556677

I want to add fied id alex with value "00011223344556677"
i dont know if there is any solution to this if not there is another methode to do this ?

alex_vermex · February 22, 2022, 10:18am

ok i did it with grok but i when i have another value in another line in the same message i mean like this:

2022-01-01 17:17:13   - id alex =>00011223344556677
2022-01-01 17:18:15   - number =>00335566221144

i did this but didnt work, when i tried in dev tools Grok debugger it works:

filter {
    if ("id alex" in [message] and "number" in [message]) {
        grok { match => { "message" => "(?<id>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sid\salex\sis\s\S{2}*)(\r\n|\r|\n)(?<number>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\snumber\sis\s\S{2}*)
" } }
    }

I would like to know what is the problem. because I don't get any error.

Any help would be sincerely appreciate!
Thanks!

system · March 22, 2022, 10:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.