Merge two events
Posted: Tue Feb 10, 2015 11:13 am
Hi all,
I need some help for to manage java exceptions (multiline message).
I have one case in my filter which can detect if a message contains the word "at", which means that the current event is part of a java exception :
The first basic action I want to do now is : if I'm in this case, I want to merge the current event with the previous event (which should be related to the current) with no specific processing and no check, just merging.
Do you know a simple way to implement that ?
I already looked at the "multiline" filter in logstash, but it was unsuccessful and give me strange behaviors, I hope there is a more simple way to merge events.
Thanks in advance for your help and have a good day,
Quentin
I need some help for to manage java exceptions (multiline message).
I have one case in my filter which can detect if a message contains the word "at", which means that the current event is part of a java exception :
Code: Select all
grok {
remove_tag => [ "_grokparsefailure" ]
match => [ "message", "\[%{WORD}:%{USERNAME:server_name}\]%{GREEDYDATA:msg}at %{GREEDYDATA:msg}"]
named_captures_only => true
}
if "_grokparsefailure" not in [tags] {
mutate {
replace => [ "type", "%{server_name}" ]
replace => [ "severity_label", "ERROR"]
}Do you know a simple way to implement that ?
I already looked at the "multiline" filter in logstash, but it was unsuccessful and give me strange behaviors, I hope there is a more simple way to merge events.
Thanks in advance for your help and have a good day,
Quentin