Hello,
I have to ingest this type of data :
[2022-06-23 12:11:53 INF] [Env=] [Depot=] [Activity=] [RequestId=0HMIJARNNC6FT:00000002] Request finished HTTP/1.1 GET http://xxxx.yyyy:5000/api/Weight/GetPickLineSupportWeight?activityCode=SDO&depositCode=ECR&supportNumber=336042897206443351 application/json - - 200 356 application/json;+charset=utf-8 71.6420ms
[2022-06-23 12:11:53 INF] [Env=PECRRFX2] [Depot=ECR] [Activity=SDO] [RequestId=0HMIJARNNC6FT:00000002] Executed endpoint 'FMServices.Specific.Controllers.Api.WeightVolume.WeightController.GetPickLineSupportWeight (FMServices.Specific)'
[2022-06-23 12:11:53 INF] [Env=PECRRFX2] [Depot=ECR] [Activity=SDO] [RequestId=0HMIJARNNC6FT:00000002] Executed action FMServices.Specific.Controllers.Api.WeightVolume.WeightController.GetPickLineSupportWeight (FMServices.Specific) in 70.9943ms
problem is that field Activity is null for last line of log
I would like to be able when ingesting it to take activity value of another line of same index to update activity value if it is null
In following snapshot, I would like to be able to set Env=PECRRFX2 to last line by getting it from same index in the previous line :
if I could do a search for RequestId=0HMIJARNNC6FT:00000002, I may be able to find non null value. But I don't know how to do it in a pipeline (it seem we may use enriched-index, but this index should not be dynamic)
Do you know a way to do that in an ingest pipeline in elastic ?
or perhaps in filebeat ?