Code: Select all
tcp {
type => 'import_raw_multiline'
tags => 'import_raw'
port => 2056
codec => multiline {
pattern => "^CompanyName"
negate => "true"
what => "previous"
}
}
Code: Select all
if [type] == 'import_raw_multiline' {
mutate {
add_field => { "YYYY-MM-DD" => ""}
}
grok {
match => [ "message", "(?<YYYY-MM-DD>20[1-2][0-9]-[0-1][0-9]-[0-3][0-9])" ]
}
}
Creates a bar graph like:
Does this help accomplish what you're looking for?