Logstash filtering on filebeat's successfully multilined event

nnet · November 22, 2019, 6:28pm

I have correctly configured filebeat to deal with a multiline event generated by ISC's kea software.
I want to parse that event into various fields, but none of my grok statements are matching. I think it may have to do with EOL, but my attempts to use things like \n or $ are not matching. Here's an example of an event:

2019-10-14T12:01:11.131-0400 INFO [kea-dhcp-ddns.d2-to-dns/13043] DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID 000001152FBA39EEA026B1D7B5E76088BBD4FBA6835B4854D3994882B13FA1279FDD84: successfully added the DNS mapping addition for this request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [ddns-192-168-17-103.dhcp.ldev.]
IP Address: [192.168.17.103]
DHCID: [000001152FBA39EEA026B1D7B5E76088BBD4FBA6835B4854D3994882B13FA1279FDD84]
Lease Expires On: 20191014170111
Lease Length: 3600

I want to parse some fields from the first line, and from each line after that one.
I'm stuck on how to parse field data from the multiline event, any pointers?

kvch · November 28, 2019, 3:13pm

I moved the question to Logstash forum, as it is an LS question.

Badger · November 28, 2019, 3:24pm

Does this help?

nnet · November 28, 2019, 3:34pm

I missed this response...@kvch thanks...@Badger will give your suggestion a try, thanks.

system · December 26, 2019, 3:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.