Filter to remember field accross lines with between start and stop tag

melorium · January 23, 2022, 1:20pm

Hi.

I have a log with a s tart and stop tag.

2021-12-30 13:15:08.614 +0100 [AWT-EventQueue-0] 51818 INFO com.nuix.data.keystore.b - Read 0 passwords from C:\CASE\Test Log 1-1\Stores\DecryptionKeys\pgpkeylist.dat

This row only show up once I the log but I want to remember it across all events after it and add a tag with tag "Test Log 1-1" until I get the stop tag.

The stop tag must reset thet value.

After the start tag i get the string I want to remember over all events is "Test Log 1-1"

How can I remember that value and tag every event with it until the stop tag show up.

Can I set some kind of variable to remember across event maybe over more than one log.

Thanks for all help I can get.

melorium · January 23, 2022, 1:21pm

grok {
match => {"message" => "%{TIMESTAMP_ISO8601:nuix_timestamp} %{NUMBER:nuix_timezone} [%{DATA:nuix_source}] %{NUMBER:nuix_thread} %{LOGLEVEL:nuix_loglevel}%{SPACE}%{DATA:nuix_class} - (?<case_name>.+?(?=\Stores\DecryptionKeys\pgpkeylist.dat))"}
}
mutate {
gsub => [
# replace backslashes and forward slashes with a hyphen
"case_name", "[\/]", "€ "
]
}
grok {
match => {"case_name" => " (?<nuix_case>([^€]+$))"}
}

melorium · January 23, 2022, 1:22pm

This grok will catch it but I dont know how to remember it across all future events until the stop tag show up

Tomo_M · January 23, 2022, 2:41pm

Hi,

Aggregate filter is what you need, I think. Example is similar to your use case.

system · February 20, 2022, 2:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.