Multiline string parsed from filebeat reached Logstash- Unable to get desired output

Hey Elastic Geeks,
I have a multiline single event that have been already parsed form filebeat. I am receiving it in Logstash as
"message": """
06/12/2017 00:47:00 - DEBUG : PP1: 1
06/12/2017 00:47:00 - DEBUG : PP2:
06/12/2017 00:47:00 - DEBUG : PP3: E11759971
06/12/2017 00:47:00 - DEBUG : PP4: 219
06/12/2017 00:47:00 - DEBUG : PP5:
06/12/2017 00:47:00 - DEBUG : PP6: dfdfdf
06/12/2017 00:47:00 - DEBUG : PP7: DAN LI
06/12/2017 00:47:00 - DEBUG : PP8: 14/01/1976 12:00:00
06/12/2017 00:47:00 - DEBUG : PP9: 0
06/12/2017 00:47:00 - DEBUG : PP10: 1
06/12/2017 00:47:00 - DEBUG : PP11: 06/12/2017 12:47:00
06/12/2017 00:47:00 - DEBUG : PP12:
06/12/2017 00:47:00 - DEBUG : PP13:
06/12/2017 00:47:00 - DEBUG : PP14:
06/12/2017 00:47:00 - DEBUG : PP15:
06/12/2017 00:47:00 - DEBUG : PP16: 219
"""
My desired output is
timeStamp only from 1st line and KV Filter for each field and value from following lines.

--Thanks

I solved it with grok filter by consider 1st date pattern as timestamp and other as greedydata, and then mutate \n and date patterned string from greedydata. As I don't require log level I removed it and using KV filter I got field and value. Hope this might help someone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.