Hello everyone!
This is my first post here on elastic fourm so please excuse me if i'm breaking any rules...
I'm trying to parse a log file from a message broker. The logs are very heterogeneus, and have no unique ID for a ""transaction"".
Or better, they do have one. But it isn't uniq. It connects different types of logs. But i want separate documents for each type of log.
A sample of the logs is as follows:####
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 Request: reqbody here
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 Response da BSP: response body
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 dummy data here
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 warnings here
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 fetch some data: body
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 fetch some data response: body
22/10 08:42:25 DEBUG hostname.full.com - ID: 2894712 end evaluating msgs
ANOTHER KIND OF LOG FOLLOWING HERE:
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 MQSender start write message: message body
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 queueConnFactoryName: broker
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 queueName: name
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 txtMsg
SourceMF
muliline
jms_text
handleRequest ...
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 message sent!
22/10 08:41:33 DEBUG hostname.full.com - ID: 2894712 MQSender end!
There are even more kind of logs, but i'd rather keep it as simple as i can.
What i'd like to obtain is 2 documents, like these ones:
{ "timestamp": "22/10 08:41:33",
"facility": "DEBUG",
"hostname": "hostname.full.com",
"id": "2894712",
"request_body": "reqbody here",
"response_body": "response body",
"fetch_data_request": "body",
"fetch_data_response": "body"
}
AND
{ "timestamp": "22/10 08:41:33",
"facility": "DEBUG",
"hostname": "hostname.full.com",
"id": "2894712",
"message_body": "message body",
"queue_conn_factory_name": "broker",
"queue_conn_name": "name",
"text_msg": "text body"
}
As of now i can easily aggregate multiline logs (like the txtMsg up here) with the multline filter.
My problem is aggregating the different types of logs with the aggregate filter, but i can't get it to work.
If it's unclear or you'd need more details please just let me know
Thanks a lot!
Alessandro