How to write logstash multiline for interlaced log lines from different process threads based on a dynamic identifier


dummy logfile:

[1] test123
[2] test234
[3] test345
[2] test321 
[1] test432
[3] test058
[1] test002`

expected result from multiline to merge lines with same id and consider as single event.

[1] test123
[1] test432
[1] test002


The stream_identity property of the multiline filter should work for this.

When using the filter, you can't run more than one worker thread (-w). The multiline codec is supposed to help with that, but the man page does not describe a stream feature like this.

This video can help you solving your question :)
By: admin