Hi ,
I just came across an event where the log lines are of the format:
Date:2016-10-18
Time:14:31:05
Event Code:0x60a
Description:Internal information only. A logical unit has been enabled
Subsystem:CKM00124801986
Device:Bus 1 Enclosure 4 Disk 10
SP:SPA
Host:localhost
Source:N/A
Category:N/A
Log:Storage Array
Sense Key:0x0
Ext Code1:0x1cb01c4
Ext Code2:0x1e57140a
Type:Information
But i just cant get the multiline to work for this.
I tried:-
%{NUMBER}.\nDate:%{DATE_YMD}
Please help.
Hi,
Any help is appreciated.
Regards,
Debarun.
Is "1." the indicator that a new message begins? If so,
pattern => "^1\.$"
negate => true
what => previous
should work, i.e. "unless the line begins with '1.', join it with the previous line".
HI,
The loglines progress as 1. then 2., 3. and so on.
Regards,
Debarun.
Okay, so use ^\d+\.$ then.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.