Combine multiple lines into one variable

Hi,
i am searching for a good solution to prozess different form of events in the same log files. I could write if{}elseif{} for every possible event, but i hope there is a better way. Some of my logs look like:

Ereignis 25 von 3000:  Ereignis-ID 16# 3942
Baugruppe gestört oder Wartung erforderlich
Baugruppentyp: Dezentrale Peripherie
Eingangsadresse: 16337
Anwenderinformation vorhanden
Diagnosealarm von Stellvertreter
Modul/Submodul gestört
Fehler baugruppenextern
Alarm aufgetreten in Baugruppenträger  0
Angeforderter OB: Diagnosealarm-OB (OB 82)
Prioritätsklasse: 25
externer Fehler, kommendes Ereignis
16:53:51.688  03.09.2017
(Kodierung: 16# 3942  1952  D054  3FD1  0563  0000)


Ereignis 26 von 3000:  Ereignis-ID 16# 5979
Baugruppenfehler in Dezentraler Peripherie  aufgetreten 
Steckplatz DP-Master/IO-Controller:   6 in Baugruppenträger-Nr.   0
Ereignis aufgetreten in der Master-CPU in Baugruppenträger-Nr.: 0
externer Fehler, kommendes Ereignis
16:53:51.687  03.09.2017
(Kodierung: 16# 5979  F806  0000  0000  0000  0000)


Ereignis 27 von 3000:  Ereignis-ID 16# 3842
Baugruppe ok
Baugruppentyp: Dezentrale Peripherie
Eingangsadresse: 16337
Anwenderinformation vorhanden
Diagnosealarm von Stellvertreter
Alarm aufgetreten in Baugruppenträger  0
Angeforderter OB: Diagnosealarm-OB (OB 82)
Prioritätsklasse: 25
externer Fehler, gehendes Ereignis
16:53:51.517  03.09.2017
(Kodierung: 16# 3842  1952  D054  3FD1  0063  0000)

Currently i'm filtering the first line like this:

match => { "message" => "Ereignis %{NUMBER:Nummer} von 3000: Ereignis-ID 16# %{NUMBER:ID}\n...

and the variable part in the middle with multiple%{GREEDYDATA:Message1}\n%{GREEDYDATA:Message2}...

until the date and timestamp. It works like that but i would like to have just one variable which contains all the new lines between the first and the date line (right now i need a new variable for every new line in the event). Is it even possible to write multiple lines in one variable? And if that's possible can i set the number of lines dynamically with ()? ?

Thanks in advance

Hallo, hier meine Vermutung zum Thema.. :wink:

I think you need to use (?<msg>(.|\r|\n)*) instead of GREEDYDATA to include linebreaks.

1 Like

Wow, as simple as that. ^^
Works like a charm!

Thx
Vielen dank :smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.