Hi All,
I've define grok pattern and mutate in filter in logstash.
if "Correlation_Session_0" in [CorrelationSession] {
mutate {
split => ["RequestInTime" , "_"]
add_field => [ "RequstInsplitime", "%{[RequestInTime][1]}" ]
}
}
Which is working fine. But when i've parse log file which having multiple line with RequestInTime value, RequstInsplitime value's overwrite. I can just see last value of RequstInsplitime.
How can i define permanent value for each document rather than overwrite them?