I've a scenario where I've to parse logs in logstash and create some visualizations. Below is an example log ..
25 Jun 2016 20:53:10,674 [http-bio-8080-exec-20] INFO com.employee.controller.EmloyeeController - [2016-06-25 20:53:10.087] [14115] [2016-06-25 21:00:11.0] [14840] [2016-06-25 21:00:11.0] [15627] [2016-06-25 21:00:11.0] [2016-06-25 20:53:10.674]
log description
DateTime [Thread Name] LogLevel ClassName - [Altert Start Time Stamp] [EmpId 1] [Trans Time Stamp] [EmpId 2] [Trans Time Stamp] [EmpId 3] [Trans Time Stamp] [Alter End Time Stamp]
One message can have 'n' number of alerts in it i.e (Employee ID and Trans Time stamp). I'm unable to create grok pattern for such scenario where one message can have more than one alerts.
**Secondly, for every log I've to calculate upstream time i.e [Trans Time Stamp - Altert Start Time Stamp => Upstream Time Taken] to plot graphs from it **