I have an input that is like the following
2015-12-02T12:39:57.546461+08:00 222.55.201.19 c): start_time="2015-12-02 ...some other log info... src=192.168.1.153 dst=8.8.8.8 src_port=51145 dst_port=13 ...some other log info... start_time="2015-12-02 src=192.168.1.123 dst=8.8.8.8 src_port=52245 dst_port=53 ...some other log info...
The above has many src and dst and all these entire are in one line.
When I use the "message" => "src=%{IP:SRC} dst=%{IP:DST}". I manage to get only the first src and dst. I am unable to get the rest of the src and dst in the line.
What command should I use to achieve what I need? I heard that I might need to do some split but I cannot find information on this.
I have solved this problem via a work around. I have made changes to how the source is generated. The source now has record per line.
I have also tried the "split" method. It does fix the problem but the amount of codes significantly increase