How to combine Multiline events into Single Event

I am trying to index the sip logs (telephony) , but while indexing ,it took each line as separate event .Give me some suggestions to combine those events into one single event.
Here I am giving log format

<135>85748973: 6315194: Aug 11 03:31:44.284 UTC: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
<135>85748974: Received:
<135>85748975: REGISTER sip:x.x.x.x SIP/2.0
<135>85748976: Via: SIP/2.0/UDP x.x.x.x:5060;branch=z9hG4bK00258963
<135>85748977: From: sip:xxx@x.x.x.x;tag=00041478526632
<135>85748978: To: sip:xxx@x.x.x.x
<135>85748979: Call-ID: 14862369752224479222@x.x.x.x
<135>85748980: Max-Forwards: 70
<135>85748981: Date: Tue, 18 Aug 2019 3:31:44 GMT
<135>85748982: CSeq: 271 REGISTER
<135>85748983: User-Agent: Cisco-CSF
<135>85748984: Contact: sip:253e2588963-1478-560a0fae691a@x.x.x.x:5060;transport=udp;+sip.instance=urn:uuid:1478200002558633333;+u.sip!;+u.sip!;video;bfcp
<135>85748985: Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,X-cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisco-service-control,X-cisco-srtp-fallback,X-cisco-monrec,X-cisco-config,X-cisco-sis-7.0.0,X-cisco-xsi-8.5.1
<135>85748986: Expires: 0
<135>85748987: Content-Length: 0

All these are belongs 1 log message,I want to merge them into single event.

Thanks in Adavance,

You might be able to use a multiline codec, but that will depend on what type of input you are using, and whether you can define a regexp that identifies the start (or end) or a set of lines that should be combined.

Hi Badger,

Here I am using TCP and UDP as input, Can I use multiline codec input in this case?


Unfortunately, a multiline codec does not work well with a tcp input. See here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.