Hi,
log file example:
2021-01-01 11:15:02 - it is a f....
2021-01-01 11:15:04 - format is =>
000000: 00 11 22 a5 12 12 23 2a 55 12 00 22 33 44 | ?1451202000
.
.
.
00114: 00 11 55 77 9a 11 0
2021-12-23 10:14:22 - testing request
2021-12-23 10:17:01 - format is =>
000000: 01 02 3d 5d 79 11 00 .... | s9.kk6400
.
.
.
000144: 69 69 66 33 22 11 44 7d .... | 22 s6 66700
2021-12-23 10:17:01 - testing request
So I want to add a field when I found "format is" which was in the same message because I made the multiline in filebeat.yml
so tried this:
if ("format is" in [message]) {
grok { match => { "message" => "(?<format>(^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\sformat\sis\s\S{2}\s(\n))(^\d{6}:[^(\r\n)]*(\n)*)+)" }}
}
It just gives me the first block ignores me the second and I want both of them each in a field
Any help would be sincerely appreciate!
Thanks!