Logstash pattern or dsl query


(LuciferHBP) #1

Hi,
I have following kind of logs:

DEBUG 20161219T172835.101-05:00 59 Client start
DEBUG 20161219T172835.101-05:00 59 Client v=1
DEBUG 20161219T172835.101-05:00 59 Client v=2
DEBUG 20161219T172835.461-05:00 59 Client end
INFO 20161219T172835.461-05:00 - Initializing v
INFO 20161219T172835.461-05:00 - v initialized
DEBUG 20161219T172734.179-05:00 30 Client start
DEBUG 20161219T172734.179-05:00 30 Client v=4
DEBUG 20161219T172734.179-05:00 30 Client v=5
DEBUG 20161219T172734.539-05:00 30 Client end

Now i want to capture all the events occurred between keywords "start" & "end" . Could anyone suggest how write configuration for logstash or any DSL query to achieve this...
Thanks


(Mark Walkom) #2

What do you have so far?


(LuciferHBP) #3

I have indexed log file into following fields: loglevel ,timestamp,client ,value

Now i want only those events that are present between consecutive start & end keywords(value field)!!!!

Right now i could find some information related to logstash aggregate-plugin that might be of help, please help if it could be done...
Thanks


(Mark Walkom) #4

Right, but what do you have, what config?
I don't want to come across rude, but we aren't going to write if for you. We're more than happy to help you adapt what you have though :slight_smile:


(Fabien Baligand) #5

If you want to discard start/end lines, you can simply use something like :

if [message] =~ "start|end" {
drop{}
}

If you want that log lines "v=INT" are aggregated into only one document, then you have to use aggregate filter.
And if so, what is the final expected document ?


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.