Save first lines of data and make it sharable for all file lines in logstash

joubeh · December 3, 2018, 1:36pm

Hello,
I've the following snapshot from a file that I'm using filebeat and logstash to send it to ES

Service Endpoint: http://1.1.1.1:8080/ECM
TestSuite : JenkinsDeploy
SuccessCount:4
FailureCount:0
TestCases:1 AdditionalCustomerProfile_JO.xml, Result: Success
TestCases:2 CustomerProfile_EG.xml, Result: Success
TestCases:3 LookUpRetrievals_EG.xml, Result: Success
TestCases:4 LookUpRetrievals_JO.xml, Result: Success

all I want to do is to keep sending the first 4 lines in each request to ES noting that I read many files and each file contains different data
is there any way to do it?

AquaX · December 5, 2018, 3:20am

I've been thinking about this too and I think I'm going to try using the aggregate filter

https://www.elastic.co/guide/en/logstash/current/plugins-filters-aggregate.html

Since you know what each of the lines looks like you will have to setup 4 grok filters for the first 4 lines then aggregate those together.

Then whenever the line starts with "TestCases" add the aggregated event to that event but don't define it as an end_event.
I'm not sure if this will work but it's worth a shot.

Topic		Replies	Views
Merge information from two different lines into single event Logstash	3	2564	April 6, 2017
Use information of first line in the rest of the file Logstash	3	1371	May 24, 2017
Aggregate data using filebeat Beats filebeat	4	1214	April 28, 2021
Multiple logs are concatenated to single event by Logstash Logstash	3	747	October 19, 2020
Merge lines in filebeat + logstash Beats filebeat	12	3565	July 5, 2017

Save first lines of data and make it sharable for all file lines in logstash

Related topics