Multiline syslogs group with the same PID?

I'm curious on how would you attempt to create a multiline match on just the PID to put it on a single event?

I'm currently using this:

prospectors:
-
paths:
- /usr/local/log/opensips.log
encoding: plain
input_type: log
exclude_lines: ["ACD DEBUG1 ", "isflagset is not set to"]
multiline:
pattern: '----- Received +|----- out$'
negate: true
match: after
max_lines: 500
timeout: 5s
tail_files: true

But there are times we have log lines that don't always follow sequentially so the logs don't group together like the following example:

May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:111@511132.retracted.com:5060 373daac320b557f@192.168.1.113, <179c730894a14c8> sip:111@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:115@511132.retracted.com:5060 e07c9141e7deba4@192.168.1.113, sip:115@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25432]: ----- out to sip:111@511132.retracted.com:5060 / sip:10.15.7.23:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25401]: ----- out to sip:115@511132.retracted.com:5060 / sip:10.15.7.35:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: ----- Received SUBSCRIBE from 96.88.101.105 to sip:118@511132.retracted.com:5060 306cc35b3d3940d@192.168.1.113, sip:118@511132.retracted.com:5060
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: xXx = method is REGISTER or SUBSCRIBE
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25431]: ----- out to sip:118@511132.retracted.com:5060 / sip:10.15.7.34:5090
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25419]: ----- Received NOTIFY from 10.15.7.58 to sip:61e05271773d14178601496e61cb7db0@10.15.7.30 <926cfb17-95b2-1234-699b-00219bfc76bb>, sip:113@10.15.7.58
May 15 19:41:45 azsbc1 /usr/local/opensips_sbc/sbin/opensips[25419]: ---call to sip:61e05271773d14178601496e61cb7db0@10.15.7.30, from 10.15.7.58/5090

So I was thinking it may be best to group based on the PID, but I tried:

filebeat:
prospectors:
-
paths:
- /usr/local/log/opensips.log
encoding: plain
input_type: log
exclude_lines: ["ACD DEBUG1 ", "isflagset is not set to"]
multiline:
pattern: '[[[:digit:]]{5}]: +|[[[:digit:]]{5}]: ----- out$'
negate: true
match: after
max_lines: 500
timeout: 10s
tail_files: true

But I couldn't figure out how to make it matching based on the the PID, I am not too sure how to use (re) within the above, as I believe the other type of grouping (?s) or (?m) is unsupported according to http://elasticsearch.qiniudn.com/guide/en/beats/filebeat/current/regexp-support.html

You are asking for correlation? Multiline is about parsing multiple consecutive lines into one event.

Yeah, I do know that, but is there a way filebeat can group events like in the above with the same PID into one?

Like sometimes you see different processes writing to the log at the same time and they sometimes run over each other as you can see above, can filebeat somehow group the events with the match of the same PID until its timeout to finally group that as one event ?

No, filebeat is not parsing actual content. Regular expressions are only used for matching lines according to some pattern. You're basically asking for event correlation, which is not supported by filebeat. filebeat is about shipping logs, not processing content.