Hello! I am working with some logs and before I build the reports in Kibana, I am perfoming some transformations in Logstash.
I am receiveng several types of events, but there are two types of events I need to merge in order to use the information of both types to build an specific report. I basically need to gather in the same event both the Wifi information and the result information.
These are the type of events I need to combine (all my events start with "INFO" or "ERROR"):
type1:
INFO - WIFI API - Sat Aug 18 17:53:45 CEST 2018
{
"wsName": "newFile",_
"Connection type": "WIFI: "WifiName"",
"RAM available": "32.78%",
"CPU usage": "19.72%",
"Internal storage available (MB)": 99999.99,
"External storage available (MB)": 99999.99,
"Connectipvity": "Is available: true. Is connected: true. Type connectivity: WIFI. Wifi signal level: 4 out of 5"
}
type2:
INFO - WIFI API- Sat Aug 18 17:53:45 CEST 2018
Task1/Sub_task1 Result: 10
I thought about using the Aggregate filter but I don't have anything such as UniqueID, so I thought about using a key such as "WIFI API-Date-Time" as my task_id. The thing is I don't have anything like a "start event", the closest thing would be the empty line I have after the first "INFO" message...
Do you think I could do something like this? My goal in the end is to have in the same event the Wifi information and also the "Task1... Result:10" information.
Could you think about any other way to do it?
I thought about changing the way I use multiline so I gather information around messages like this (including the blank line)
INFO - WIFI API - Sat Aug 18 17:53:45 CEST 2018
but I am not sure I could parse it properly after it, since there can be tons of messages after that...
THANK YOU!