My data is in the format
Feb 22 23:13:35 ams2-eu2-c-smsm query[84218]: { Zqlquery : { Select: { Fieldnames: [1, respsize, reqsize] }, { FieldTypes: [LONG, U_INT, U_INT] }, { Functionames: [count, sum, +] }}
, { Where: { Fieldnames: [filetype, SM_APPLICATION_VND_ANDROID_PACKAGE_ARCHIVE_APK, SM_APPLICATION_OCTET_STREAM_IPA, policy, 11, 32, 21, 23, 65, 25, 27, 64, 61, 58, 38, 59, 60, 24, 3 7] }, { FieldTypes: [ENUM, U_SHORT, U_SHORT, ENUM, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG, LONG] }, { Functionames: [and, in] }}, { GROUP BY: { Fieldnames: [time, 86400, threatname, urlcategory, malware, filetype] }, { FieldTypes: [TIME_T, LONG, STRING, ENUM, U_SHORT, ENUM] }, { Functionames: [interval] }}, }
Feb 22 23:13:35 ams2-eu2-c-smsm query[84218]: { ZQL query time: 1185.57 secs}
I want logstash to process these two lines as one event based on the processid, i thought of using mutliline codec but there is a possibility that these two lines are not immediately following lines, I need to store the pid of the line1 and whenever i found line 2, I need to compare the processid and if it matches with any old event I need to add this querytime field for the old event. Is there any way to do that?