Concatenation between two documents message value

Hi,
we assume that i have 3 documents in Elasticsearch and here a example of messages that contains
document 1 message :

2022-01-13 17:16:05   - request in formatHexDump is => 
000: 12 15 46 77 77 55 | ak55s2 ....
000: 12 15 46 77 77 55 | ak55s2 ....
..
FO ... 

document 2 message :

2022-01-13 17:16:10   - request in formatHexDump is => 
000: 44 66 99 11  77 55 | h44a5000 ....
000: 45 66 33 22 00 11  | adandakj ....
..
FT ....
..

document 3 message :

2022-01-13 17:17:44   - request in formatHexDump is => 
000: 44 33 22 00 11 55 | jjdll1122 ....
000: 12 15 46 77 77 55 | h555666 ....
..
AO ... 
...

I separate the logs with filebeat multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{3}-\srequest\sin\sformatHexDump\sis\s\S{2}'
so in this example i would like to find only two logs not three the first contains the logs which contain FO and FT together in one message, and the second log contains AO
I mean if there is FT in any log take the hole log and put it under the previous log

Any help would be sincerely appreciate!
Thanks!

I mean if it can be like this :
document 1 message field value :

2022-01-13 17:16:05   - request in formatHexDump is => 
000: 12 15 46 77 77 55 | ak55s2 ....
000: 12 15 46 77 77 55 | ak55s2 ....
..
FO ...
....
2022-01-13 17:16:10   - request in formatHexDump is => 
000: 44 66 99 11  77 55 | h44a5000 ....
000: 45 66 33 22 00 11  | adandakj ....
..
FT ....
..

document 2 message field value:

2022-01-13 17:17:44   - request in formatHexDump is => 
000: 44 33 22 00 11 55 | jjdll1122 ....
000: 12 15 46 77 77 55 | h555666 ....
..
AO ... 
...

Thanks!

If you use Logstash, you can aggregate multiple messages to a single event for some rules by aggregate filter plugin. You may use filebeat -> logstash -> Elasticsearch, or using only logstash -> Elasticsearch could be also possible.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.