How to consider multiple lines(starts with Timestamp all the time) as a single event?

20170315:08:00:34:022156 xxxxx-[INFO]:-Dump status report
20170315:08:00:34:022156 xxxxx-[INFO]:----------------------------------------------------
20170315:08:00:34:022156 xxxxx-[INFO]:-Target database = xxx
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump subdirectory = xxx
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump type = Full database
20170315:08:00:34:022156 xxxxx-[INFO]:-Clear old dump directories = Off
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump start time = xxx
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump end time = 08:00:08
20170315:08:00:34:022156 xxxxx-[INFO]:-Status = COMPLETED
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump key = 2xxx
20170315:08:00:34:022156 xxxxx-[INFO]:-Dump file compression = Off
20170315:08:00:34:022156 xxxxx-[INFO]:-Vacuum mode type = Off
20170315:08:00:34:022156 xxxxx-[INFO]:-Exit code zero, no warnings generated
20170315:08:00:34:022156 xxxxx-[INFO]:----------------------------------------------------
20170315:08:00:34:022156 xxxxx-[INFO]:-Dumping master config files

Check out the multiline timestamp example below.

https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html

Right, but there is no specific indicator for me to consider multi lines as a single event. By looking at the above example, can you please specify how I can use an indicator or a regex pattern?

The pattern should be

codec => multiline {
      pattern => "^\d\d\d\d\d\d\d\d:\d\d:\d\d:\d\d:\d\d\d\d\d\d
      negate => true
      what => previous
    }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.