Tie together events with subfields

sissi · September 4, 2015, 10:51am

i have a question about tie events together with subfields,log file like following:

LOG FILE

id 1 name paris-1-university city paris country French
id 1 namestu cici age 18 sex F

id 1 name paris-3-university city london country England
id 1 namestu toto age 21 sex M
... ...

structure i want, like the following:
{
_id": "1",
"schstu1": {
"sch": {
"name": "paris-1-university",
"city": "paris",
"country": "French",
},
"stu": {
"namestu": "cici",
"age": "18",
"sex": "F",
}
}
"schstu2": {
"sch": {
"name": "paris-3-university",
"city": "london",
"country": "England",
},
"stu": {
"namestu": "toto",
"age": "21",
"sex": "M",
}
}
"schstu3" {
.....
}
"schstu4" {
.....
}
}

but now, t try to use logstash to index data into Elasticsearch (tie mulitiline by "id"),the result is like the following:
{
_id": "1",
"schstu1": {
"sch": {
"name":[
"paris-1-university",
"paris-3-university"
]
"city": [
"paris",
"london"
]
"country":[
"French",
"England"
]
},
"stu": {
"namestu": [
"cici",
"toto"
]
"age": [
"18",
"21"
]
"sex":[
"F",
"M"
]
}
}
}
how can i fix these problem, anyone can help, thanks advance

magnusbaeck · September 6, 2015, 2:27pm

While I don't have a solution to your problem, it has nothing to do with logstash-forwarder. You might have better luck posting it in the Logstash category. You should be able to edit your first post and change its category.