How to pull a field from an event to another event?

Elastic Stack Logstash
1

I am currently working with logs with some of its content looking like this:

00:19:59.771 (07120/evtThread     ) TRC> Cem< [Core1] CALL_STATE... 
#S#|Call stats, ongoing calls: 8, handled_calls: 7304
#S#+----------------------------+----------+----------+----------+----------+----------+
#S#|Peer                        |      From|        To|   MinTime|   MaxTime|   AvgTime|
#S#+----------------------------+----------+----------+----------+----------+----------+
#S#|        CallDispatcher:Core2|         0|         0|         0|         0|         0|

I parsed the line containing the time like this:

grok {
    match => [ "message", "%{TIME:time} (?<bcm_comp>\(\d{5}\/\w{4,}\:*\ *\w*\)) (?<loglevel>\w{3}>{1}) %{GREEDYDATA:message}" ]
    overwrite => [ "message" ]
    add_field => [ "BCM_System", "PROD" ]
}

The lines containing the #S# at the front was parsed like this.

grok {
    match => [ "message", "(?<start>\#\S\#\|)\s* (?<peer>\w*\:\w*)(?<div2>\|)\s* %{NUMBER:From}(?<div3>\|)\s* %{NUMBER:To}(?<div4>\|)\s* %{NUMBER:MinTime}(?<div5>\|)\s* %{NUMBER:MaxTime}(?<div6>\|)\s* %{NUMBER:AvgTime}(?<div7>\|)" ]        
    remove_field => [ "start", "div2", "div3", "div4", "div5", "div6", "div7" ]
    overwrite => [ "message"]       
    add_field => [ "reference_time", "%{@time}"]
}

What I am trying to do is take the time from the previous line and add it as a field for where I groked the #s# lines. I try using the add_field syntax from logstash as shown but it doesn't work...it just literally prints out %{@time}.

2

There's no simple way, no. See the following related thread from last week:

3

This probably comes to you too late to be of any use, but you can do it with class variables, if you're careful. There is a tradeoff: you will have to settle on only ONE worker in your logstash to avoid problems.

Here is a thread on how I did it:

Good luck -