Hi,
My event looks like that:
####<Feb 5, 2018 2:57:30 PM CST6CDT> <Info> <APM> <host101> *** Starting Rule Debug Messages February 5, 2018 2:57:30 PM CST6CDT ***
[1] *** Rule Name [ Set expiration date when eligibility duration is not zero ] ***
[1.1] Activated On [ Component ][ Sponsored Pass ] In Context of [ Component] .
[1.2] The rule evaluateResult is [false ] .
[1.3] Rule Ended [ Successfully ] .
Rule executed in Activity [ HandleWiFiProduct ] .
[1.4] Rule was activated on ApTechImpl[40163342628__0] Item .
[2] *** Rule Name [ Set expiration date when duration is zero ] ***
[2.1] Activated On [ Component ][ Sponsored Pass ] In Context of [ Component] .
[2.2] The rule evaluateResult is [false ] .
[2.3] Rule Ended [ Successfully ] .
Rule executed in Activity [ HandleWiFiProduct ] .
[2.4] Rule was activated on ApTechImpl[40162344628__0] Item .
If the string "Starting Rule Debug Messages" exists in the first part, means I will next have list of the rules. There are new lines between every part of the event.
The first part can be handle by a grok.
If the message includes Starting Rule Debug Messages , I want to create field Rule1 that will contain the Rule 1 lines, Rule2 will contain the next rule lines etc...
There are newlines between every part.
Can I have your advice how to handle it?
I thought to use ruby for it.
Thanks
Sharon.