We have json source data with a MESSAGE field that has the actual log entry we want to collect. Each event also has a CONTAINER_ID that we would like to add to the events as MetaData at index time.
Sample input log data:
{ "CONTAINER_ID" : "abc", "MESSAGE" : "10/Jul/2017:22:32:36 first line of multiline log entry" }
{ "CONTAINER_ID" : "abc", "MESSAGE" : "second line of a multiline log entry" }
{ "CONTAINER_ID" : "xyz", "MESSAGE" : "10/Jul/2017:22:33:29 different log entry" }
The end result we would want is two Splunk events:
* Event one
container_id = "abc" (container_id is added as metadata similar to host, source, sourcetype)
_raw = "10/Jul/2017:22:32:36 first line of multiline log entry
second line of a multiline log entry"
Event two
container_id = "xyz"
_raw = "10/Jul/2017:22:33:29 different log entry"
Note that the first event is a multiline event containing log lines that have the same CONTAINER_ID, abc.
I'm able to generate the container_id as metadata and I'm able to overwrite _raw with the value of MESSAGE. However, I don't see a way to create a multiline event based on the original CONTAINER_ID. There doesn't seem to be a way to combine log lines based on the value of a field. Is this possible?
... View more