I have a log file like this,
Here, I am concerned about only the lines starting with timestamp.
1. The lines with recordId DrsSESTermsERFE, DrsSESClassifier & DrsSESTerms constitute one record in which both DrsSESTermsERFE, DrsSESClassifier are optional.
2. If dimeName=ErrorEvent, it should be individual record.
3. If dimeName=InternalRecord, just drop it.
4. I don't want to parse other log lines in the log file.
I have written the config,
The problem here is,
1. ErrorEvent is not coming as individual record. It is merging with KeyEvent record.
2. Parsing loglines other than smapi lines also.
I am new to logstash and I don't know Ruby. Where can I get materials to learn the logstash configuration.