Is it possible to pass the field to the next event.
My log is multi-line:
root: 192.168.1.10|unknown (66/tcp)|92567|Low|description|
root: 192.168.1.10|unknown (26/tcp)|92567|Low|description|
root: 192.168.1.10|unknown (56/tcp)|92567|Low|description|
In the field I will pass the number of occurrences of the word 'low'
my grok config:
grok { match => ["message", "%{IPV4:host_ip}|%{DATA:protokol_port}|%{NUMBER:nessus_id}|%{WORD:threatlvl}|%{DATA:description}|"] }
Unfortunately, each line of the log is parsed as a separate event and I can not pass the field