Hi,
i have a file so i read this file using filebeat and i do the multilne like this
filebeat.yml:
- type: log
enabled: true
paths:
- D:\elastic_stack\logs\*
fields:
kafka_topic: "kafka-topic-1"
tags: ["ok"]
multiline.type: pattern
multiline.pattern: '^\s*\*TR\sSTART\*\s*'
multiline.negate: true
multiline.match: after
multiline.max_lines: 1000
here my example of one log :
*TR START*
AAAA IN
AAAA: ******12
DATE 20-07-22 TIME 07:37:48
07:37:56 PI
07:38:00 A
07:38:02 OP
07:38:03 GE
07:38:04 GE
******************
DATE HEURE A
20/07/22 07:37 0000002
AAAA:12121212
CONSULT
TR. NO: 3984
07:38:24 A
07:38:26 OP
07:38:27 GE
07:38:28 GE
******************
DATE HEURE A
20/07/22 07:37 12121212
AAAA: ******12
MO : 20
TRANS. NO: 3985
TR REF
R€o : 60
07:38:32 AAAA T
07:38:35 TR END
each log must have a TR. NO: ...what I want if I find two TR. NO in the message, add a new document if possible or I did it because I found another TR. NO after this one I have an empty line so I did this
if([message] =~ /^TR\.\sNO:.*[\r\n]*^\s{40}/) {
#if i found this one add me a new document
}
Any help would be sincerely appreciate!
Thanks!