Hello everyone!
I am trying to ingest a log that looks something like this:
*144*04:30:19 SOME EVENT
06:17:52 -> TRANSACTION START
06:17:52 .... LOG DATA
06:18:49 <- TRANSACTION END
06:17:52 -> TRANSACTION START
06:17:52 .... LOG DATA
*144*04:30:19 SOME RANDOM EVENT
06:17:54 .... LOG DATA
06:18:49 <- TRANSACTION END
This log comes in multiple line so it needs to be wrapped into a single event. Basically, in this log an event can be of two types, one event is within the block TRANSACTION START - TRANSACTION END, the second event is anything that comes outside the TRANSACTION blocks. What I is require is, events like the following from the log:
Event 1:
*144*04:30:19 SOME EVENT
Event 2:
06:17:52 -> TRANSACTION START
06:17:52 .... LOG DATA
06:18:49 <- TRANSACTION END
Event 3:
06:17:52 -> TRANSACTION START
06:17:52 .... LOG DATA
*144*04:30:19 SOME RANDOM EVENT
06:17:54 .... LOG DATA
06:18:49 <- TRANSACTION END
I was able to acquire the result like Event 1 and 2 using the following configuration:
multiline.pattern: (^(?:([01]?\d|2[0-3]):([0-5]?\d):)?([0-5]?\d) -> TRANSACTION START)|(\*[0-9]+\*[0-9]{2}:[0-9]{2}:[0-9]{2}\s.*)
multiline.negate: true
multiline.match: after
So what it does is looks for the line with TRANSACTION START and wraps the following lines into it. Or, looks the pattern like *{NUMBER}* and wraps the following line into it. It has provided me with the two events. However, there are conditions where the
*{NUMBER}* might appear within the TRANSACTION block. On those conditions I need to put it with in the TRANSACTION block rather than marking it as an independent event.
I cannot find a possible solution to this specific problem. If this explanation is not quite clear I am happy to explain it further. Would love to know if anybody has encountered this situation and how you solved it. Big thanks in advance. 