Multiple consecutive lines with no unique identifier

Hello everyone!
This is my first post here on elastic fourm :smile: so please excuse me if i'm breaking any rules...

I'm trying to parse a log file from a message broker. The logs are very heterogeneus, and have no unique ID for a ""transaction"".
Or better, they do have one. But it isn't uniq. It connects different types of logs. But i want separate documents for each type of log.

A sample of the logs is as follows:####
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   Request: reqbody here
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   Response da BSP: response body
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   dummy data here
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   warnings here
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   fetch some data: body
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   fetch some data response: body
22/10 08:42:25 DEBUG hostname.full.com -  ID: 2894712   end evaluating msgs
ANOTHER KIND OF LOG FOLLOWING HERE:
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   MQSender start write message: message body
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   queueConnFactoryName: broker
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   queueName: name
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   txtMsg
	SourceMF
	muliline 
	jms_text
	handleRequest                                                                                    ...
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   message sent!
22/10 08:41:33 DEBUG hostname.full.com -  ID: 2894712   MQSender end!

There are even more kind of logs, but i'd rather keep it as simple as i can.
What i'd like to obtain is 2 documents, like these ones:

{ "timestamp": "22/10 08:41:33",
   "facility": "DEBUG",
   "hostname": "hostname.full.com",
   "id": "2894712",
   "request_body": "reqbody here",
   "response_body": "response body",
   "fetch_data_request": "body",
   "fetch_data_response": "body"
}
AND
{ "timestamp": "22/10 08:41:33",
   "facility": "DEBUG",
   "hostname": "hostname.full.com",
   "id": "2894712",
   "message_body": "message body",
   "queue_conn_factory_name": "broker",
   "queue_conn_name": "name",
   "text_msg": "text body"
}

As of now i can easily aggregate multiline logs (like the txtMsg up here) with the multline filter.
My problem is aggregating the different types of logs with the aggregate filter, but i can't get it to work.

If it's unclear or you'd need more details please just let me know :grinning:
Thanks a lot!
Alessandro

Here is an example of how to handle the first type of log

    dissect { mapping => { "message" => "%{ts} %{+ts} %{level} %{hostname} -  ID: %{id}   %{restOfLine}" } }
    grok {
        match => {
            "restOfLine" => [
                "Request: %{GREEDYDATA:requestBody}",
                "Response da BSP: %{GREEDYDATA:responseBody}",
                "fetch some data: %{GREEDYDATA:fetchDataRequest}",
                "fetch some data response: %{GREEDYDATA:fetchDataResponse}"
            ]
        }
    }
    aggregate {
        task_id => "%{id}"
        code => '
            map["timestamp"] = event.get("ts")
            map["hostname"]  = event.get("hostname")
            if event.get("requestBody") then map["requestBody"] = event.get("requestBody") ; end
            if event.get("responseBody") then map["responseBody"] = event.get("responseBody") ; end
            if event.get("fetchDataRequest") then map["fetchDataRequest"] = event.get("fetchDataRequest") ; end
            if event.get("fetchDataResponse") then map["fetchDataResponse"] = event.get("fetchDataResponse") ; end
            event.cancel
        '
        push_map_as_event_on_timeout => true
        timeout_task_id_field => "id"
        timeout => 6
    }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.