Process events from split

sirReeall · September 16, 2022, 9:41am

Is it possible to have logstash process the events generated from a split?

For example, give the following:

2022-09-06 23:39:01.034+0000 INFO  [my.java.class] Process started \n
   some lines \n
   some more lines \n
   process is fined \n

Using multiline the above is combine into a single event. Multiline is also used because java stack traces need to be handled.

codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601} "
      negate => true
      what => previous
      # Some logs contain a large amount of multiline data
      max_lines => 2000
    }

Then I can split the above event into smaller events:

split {
  field => "message"
}

This will generate four events, one per line in the original. I then wanted to process these events further. Is this possible?

sirReeall · September 16, 2022, 10:01am

Actually looks like they are processed

system · October 14, 2022, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How does split filtered events processed? Logstash	3	452	October 8, 2020
Logstash Mutliline Inquiry Logstash	17	3765	July 6, 2017
Split event into multiples and parse with grok separately Logstash	3	336	March 26, 2021
Processing multiline events from filebeat Logstash	5	328	May 2, 2018
Logstash + XML + Multiple split Logstash	2	327	April 1, 2022

Process events from split

Related topics