Equivalent of 'stream_identity' for multiline codec

Elastic Stack Logstash
1

Hello,

All is in the title. Is there an equivalent for 'stream_identity' property of the multiline filter in multiline codec? How to merge interlaced log lines based on their dynamic identifier using multiline codec in a multi-threads environment?

I have the following log lines:

Feb 16 17:29:04 notice apd[5515]: 01490010:5: 1ec2b273:Username 'cjones'

Feb 16 17:29:04 warning apd[5515]: 01490106:4: 1ec2b273: AD module: authentication with 'cjones' failed: Preauthentication failed, principal name: cjones@GEEKO.COM. Invalid user credentials. (-1765328360)

Feb 16 17:10:04 notice apd[5515]: 01490010:5: d8b5a591: Username 'gbridget'

Feb 16 17:10:04 err apd[5515]: 01490107:3: d8b5a591: AD module: authentication with 'gbridget' failed: Clients credentials have been revoked, principal name: gbridget@GEEKO.COM. User account is locked (-1765328366)

Feb 16 17:29:04 notice apd[5515]: 01490005:5: 1ec2b273: Following rule 'fallback' from item 'AD Auth' to ending 'Deny'

Feb 16 17:29:04 notice apd[5515]: 01490102:5: 1ec2b273: Access policy result: Logon_Deny

I'd like to join them like this:

1st event with id:1ec2b273:

Feb 16 17:29:04 notice apd[5515]: 01490010:5: 1ec2b273:Username 'cjones'

Feb 16 17:29:04 warning apd[5515]: 01490106:4: 1ec2b273: AD module: authentication with 'cjones' failed: Preauthentication failed, principal name: cjones@GEEKO.COM. Invalid user credentials. (-1765328360)

Feb 16 17:29:04 notice apd[5515]: 01490005:5: 1ec2b273: Following rule 'fallback' from item 'AD Auth' to ending 'Deny'

Feb 16 17:29:04 notice apd[5515]: 01490102:5: 1ec2b273: Access policy result: Logon_Deny

2nd event with id:d8b5a591:

Feb 16 17:10:04 notice apd[5515]: 01490010:5: d8b5a591: Username 'gbridget'

Feb 16 17:10:04 err apd[5515]: 01490107:3: d8b5a591: AD module: authentication with 'gbridget' failed: Clients credentials have been revoked, principal name: gbridget@GEEKO.COM. User account is locked (-1765328366)

I'd like to gather these related lines so that I could relate a username to its email address for instance. If stream_identity option is no more available, Is there a way to query multiple elasticsearch documents to perform this action?

Thanks in advance

2

Up :slight_smile:

3

Really this inspires noone?