Need Help with Logstash Multiline Codec

Here is my sample log data :

2021/05/17 12:17:41.866 | 382DC9789F284D3C9D7CC269F1851094|0000SUMMARY:[INFO ]:
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 | TRANSACTION FLOW SUMMARY
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 |Transaction Type : null
2021/05/17 12:17:41.866 |Direction : INWARD
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 |Amount : null
2021/05/17 12:17:41.866 |From Bank : null
2021/05/17 12:17:41.866 |From Branch : null
2021/05/17 12:17:41.866 |From Account No : null
2021/05/17 12:17:41.866 |From Account Name : null
2021/05/17 12:17:41.866 |To Bank : null
2021/05/17 12:17:41.866 |To Branch : null
2021/05/17 12:17:41.866 |To Account No : null
2021/05/17 12:17:41.866 |To Account Name : null
2021/05/17 12:17:41.866 |Reference : null
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 |STAN : null
2021/05/17 12:17:41.866 |RRN : null
2021/05/17 12:17:41.866 |Date Time : null
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 |Status : null
2021/05/17 12:17:41.866 |Response Code : null
2021/05/17 12:17:41.866 |Response Desc : null
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 | COMPONENT SUMMARY
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:17:41.866 |Id :1: Name:API: Time-Out :8sec: State :REVERSE_COMPLETED
2021/05/17 12:17:41.866 |Id :2: Name:LankaPay: Time-Out :5sec: State :REVERSE_COMPLETED
2021/05/17 12:17:41.866 |Id :3: Name:CBS: Time-Out :11sec: State :FORWARD_NOT_COMPLETED
2021/05/17 12:17:41.866 |---------------------------------------------------------------------
2021/05/17 12:18:41.866 | 382DC9789F284D3C9D7CC269F1851094|0000SUMMARY:[INFO ]: Channel is Idle


How can i use the multiline codec to read TRANSACTION FLOW SUMMARY report as a one document
like this:

 TRANSACTION FLOW SUMMARY 

Transaction Type : null
Direction : INWARD

Amount : null
From Bank : null
From Branch : null
From Account No : null
From Account Name : null
To Bank : null
To Branch : null
To Account No : null
To Account Name : null
Reference : null

STAN : null
RRN : null
Date Time : null

Status : null
Response Code : null
Response Desc : null

 COMPONENT SUMMARY 

Id :1: Name:API: Time-Out :8sec: State :REVERSE_COMPLETED
Id :2: Name:LankaPay: Time-Out :5sec: State :REVERSE_COMPLETED
Id :3: Name:CBS: Time-Out :11sec: State :FORWARD_NOT_COMPLETED

Here is my current logstash Config
input {
file {
type => "info"
path => "C:/elastic_stack/logstash-7.11.1/data/log_info.txt"
start_position => "beginning"
codec => multiline {
pattern => "^%{DATESTAMP:timestamp}\s|\s%{GREEDYDATA:session-id}|%{WORD:channel}:[%{GREEDYDATA:log-info}]:%{GREEDYDATA:switch-message}"
negate => true
what => "previous"
}
}
}

filter {

if [type] == "info" {
grok {
match => { "message" =>"%{DATESTAMP:timestamp}\s|\s%{GREEDYDATA:session-id}|%{WORD:channel}:[%{GREEDYDATA:log-info}]:%{GREEDYDATA:switch-message}" }
match => { "message" =>"%{DATESTAMP:timestamp}\s|\s%{GREEDYDATA:switch-message}" }
}
}

}

output {
elasticsearch {
hosts => ["192.168,1.1:9200"]
index => "econlogtest1234"
}
}

i want to read my other messages like the grok pattern i used while reading reports as a document

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.