Process events from split

sirReeall · September 16, 2022, 9:41am

Is it possible to have logstash process the events generated from a split?

For example, give the following:

2022-09-06 23:39:01.034+0000 INFO  [my.java.class] Process started \n
   some lines \n
   some more lines \n
   process is fined \n

Using multiline the above is combine into a single event. Multiline is also used because java stack traces need to be handled.

codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601} "
      negate => true
      what => previous
      # Some logs contain a large amount of multiline data
      max_lines => 2000
    }

Then I can split the above event into smaller events:

split {
  field => "message"
}

This will generate four events, one per line in the original. I then wanted to process these events further. Is this possible?

sirReeall · September 16, 2022, 10:01am

Actually looks like they are processed

system · October 14, 2022, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Mutliline Inquiry Logstash	17	3765	July 6, 2017
Processing multiline events from filebeat Logstash	5	328	May 2, 2018
Logstash + XML + Multiple split Logstash	2	326	April 1, 2022
How to process event multiple times Logstash	3	1461	December 5, 2017
I am using Multiline codec input plugin but the events which are not matching with my PATTERN it also processing those Events Logstash	2	120	September 21, 2023

Process events from split

Related Topics