Hi,
I would like to know if I can add field if I find a word in the message but under a block of lines.
filebeat.yml:
multiline.type: pattern
multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sStarting'
multiline.negate: true
multiline.match: after
multiline.max_lines: 140
So my message now contains multilines sometimes so can i add fied if i found "id alex" for example?
2022-01-01 17:17:13 - id alex =>00011223344556677
I want to add fied id alex with value "00011223344556677"
i dont know if there is any solution to this if not there is another methode to do this ?
ok i did it with grok but i when i have another value in another line in the same message i mean like this:
2022-01-01 17:17:13 - id alex =>00011223344556677
2022-01-01 17:18:15 - number =>00335566221144
i did this but didnt work, when i tried in dev tools Grok debugger it works:
filter {
if ("id alex" in [message] and "number" in [message]) {
grok { match => { "message" => "(?<id>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sid\salex\sis\s\S{2}*)(\r\n|\r|\n)(?<number>^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\snumber\sis\s\S{2}*)
" } }
}
I would like to know what is the problem. because I don't get any error.
Any help would be sincerely appreciate!
Thanks!