dummy logfile:
[1] test123
[2] test234
[3] test345
[2] test321
[1] test432
[3] test058
[1] test002`
expected result from multiline to merge lines with same id and consider as single event.
[1] test123
[1] test432
[1] test002
Asked
Active
Viewed 90 times
0
Vishal
- 1
- 1
1 Answers
0
The stream_identity property of the multiline filter should work for this.
When using the filter, you can't run more than one worker thread (-w). The multiline codec is supposed to help with that, but the man page does not describe a stream feature like this.
Alain Collins
- 16,268
- 2
- 32
- 55
-
Thanks I will check it out !! – Vishal Dec 11 '15 at 03:35