Multiline section?

jxm0983 · July 7, 2017, 8:42pm

I'm wanting to prepend one line onto each future line, each of which should be shipped separately to Logstash. I haven't been able to find anything that looked like this in the documentation.

The "log" that I'm parsing is broken into sections, i.e.:
servername 1
line 1
line 2
...
servername 2
line 1
line 2
...
What I'd like to do is have the server name prepended to each of the following lines, until another matching servername "start" line is found. To be clear, I want each of the other lines to be a separate message into Logstash, but each should contain the server name that preceded the section.
Is carrying forward a variable like this something that multiline can already do, or would this be an opportunity for an enhancement request?

andrewkroh · July 7, 2017, 9:41pm

You could use the multiline feature in Filebeat to group the related logs lines together into a single event. Then send the data to Logstash where you would apply a grok filter to parse the server name from the message, then apply a split filter to break the event apart.

system · August 4, 2017, 9:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.