Hello
I want to aggregate zimbra logs from serveral servers. Here is an short example :
85C19C0506: removed
A4936C0506: client=unknown[10.10.10.10]:55288
A4936C0506: message-id=20170515220002.A4936C0506@mta.zimbra.exemple.com
9DE10C0502: to=mail@example.com, relay=mailbox.zimbra.exemple.com[10.20.20.20]:7025, delay=0.15, delays=0.01/0/0.02/0.12, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
9DE10C0502: removed
A4936C0506: from=mail2@example.com, size=3072, nrcpt=1 (queue active)
connect from localhost[127.0.0.1]:48434
C5FB0C0502: client=localhost[127.0.0.1]:48434
C5FB0C0502: message-id=20170515220002.A4936C0506@mta.zimbra.exemple.com
disconnect from unknown[10.10.10.10]:55288
connect from unknown[10.10.10.10]:48228
C5FB0C0502: from=mail2@example.com, size=3274, nrcpt=1 (queue active)
disconnect from localhost[127.0.0.1]:48434
A4936C0506: to=mail@example.com, relay=127.0.0.1[127.0.0.1]:10030, delay=0.2, delays=0.15/0/0/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C5FB0C0502)
Its exemple from one server. Sometimes one mail is processed on several servers. Flow on one server starts with some id, for example A4936C0506 (I call it ID_IN) and ends with the id it will start on the next server, for example C5FB0C0502 (ID_OUT). I want to aggregate only logs with ID_IN or ID_OUT. I want to create all flow how mail is processed. I have all grok pattern what i need. I can cut ID_IN or ID_IN and ID_OUT from one log. My idea is to assign a new id (UUID) ID_FLOW. One log in -> grok -> logstash (with elasticsearch plugin) looking (60s) back id IN or OUT -> if old log have ID_FLOW than copy this to your ID_FLOW else create new ID_FLOW.
Generelly I want to create mail processing flow form all servers.
Ok. Time to explain what i have.
Logstash :
if [ID_IN] {
elasticsearch {
hosts => ["localhost:9200"]
query => "@timestamp:[now-60s TO now] AND (ID_IN:%{[ID_IN]} OR ID_OUT:%{[ID_IN]})"
}
if [] {
}else{
uuid {
target => "ID_Flow"
}
}
}
I was stuck in this place 
Please.. Help me to resolve this problem
THX