I have a file that looks like this and I keep getting the first 7 lines as individual documents and the last one its own document. How do i get it so all of these come back as 1 document
input file
startTime:34534
accountId:78
format:CEF
checksum:grtgt45hfgh
endTime:45645645
configId:1234
|==|
CEF=0 helloworld=234 32313 name=ob age=90
What input are you using?
input {
file {
path => "/tmp/logs/*.log"
codec => multiline {
pattern => "^CEF"
negate => true
what => "previous"
}
}
OK, so the codec is looking for any lines that match ^CEF. Lines that do not match are joined to the previous event. A line that matches CEF starts a new event.
If you want to consume the entire file as a single event then use a pattern that never matches and flush using a timeout
codec => multiline {
pattern => "^Spalanzani"
what => "previous"
negate => true
auto_flush_interval => 2
}
If you have a repeating pattern of lines you also have the option of
codec => multiline {
pattern => "^CEF"
what => "next"
negate => true
auto_flush_interval => 2
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.