Newbie- trying to get info from various lines of a log

What is best practice to get information that may be strewn over multiple lines of a log file.

Desired result: visualization of how many times 'person' bought a 'coffee' over a period of time.

I have to parse through a log which tracks events, but there is a separate log line for the person who event pertains to. The threadid for the whole transaction is the same to link them, but lines are separated.

example log lines.

timestamp threadid "Person logged in"
timestamp threadid "Coffee purchased"

the threadids are the same, but timestamps are different. looking for a way to link these events in a manner that can be used in a visualization.

thank you

I would recommend you look into this excellent training by Mark Harwood about this subject: https://www.elastic.co/elasticon/2015/sf/building-entity-centric-indexes

It describes the best practices surrounding what you are trying to do. Hope that helps, and please feel free to ask for clarification on anything specific.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.