The events are delimited by a line of underscores, so you could use a multiline codec to combine all the lines for a single event.
file {
path => "/home/user/foo.txt"
sincedb_path => "/dev/null"
start_position => beginning
codec => multiline {
pattern => "_______"
negate => true
what => previous
auto_flush_interval => 2
multiline_tag => ""
}
}
Then use grok
grok {
break_on_match => false
match => {
"message" => [
"Timestamp%{SPACE}:%{SPACE}(?<Timestamp>[^\n]+)\n",
"User%{SPACE}:%{SPACE}(?<User>[^\n]+)\n",
"Action%{SPACE}:%{SPACE}(?<Action>[^\n]+)\n",
"Source Type%{SPACE}:%{SPACE}(?<Source Type>[^\n]+)\n",
"Source ID%{SPACE}:%{SPACE}(?<Source ID>[^\n]+)\n",
"Appliance%{SPACE}:%{SPACE}(?<Appliance>[^\n]+)\n",
"User-Agent%{SPACE}:%{SPACE}(?<User-Agent>[^\n]+)\n",
"Role%{SPACE}:%{SPACE}(?<Role>[^\n]+)\n"
]
}
}
I would recommend against having spaces in your field names. Use [SourceType] rather than [Source Type].