Stashing parser example

Some log sources split logs across multiple lines. For example, Cisco ISE RADIUS accounting logs are split across multiple lines and need to be stashed.

--------timestamp--------   identifier    current_part/total_parts   -----content-----
2026-05-06T05:45:58.000Z   0009204796    0/2                        1030 <181>1 2026-05-06T05:45:58+02:00 ise-server-01 CISE_RADIUS_Accounting - - - 0009204796 2 0 2026-05-06 05:45:58.349 +02:00 0279051505 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=140, Device IP Address=192.0.2.15, UserName=john.doe@example.com, NetworkDeviceName=switch-core-01, User-Name=john.doe@example.com, NAS-IP-Address=192.0.2.15, ...
2026-05-06T05:45:58.050Z   0009204796    1/2                        698 <181>1 2026-05-06T05:45:58+02:00 ise-server-01 CISE_RADIUS_Accounting - - - 0009204796 2 1 SelectedAccessService=WIRED_DOT1X, RequestLatency=2, Step=11004, Step=11017, Step=15049, Step=15008, Step=22085, Step=11005, ...

To parse this logs, you need to use the stashing parser. The stashing parser will collect the logs with the same identifier and create a single event. Only one instance of LogMan.io Parsec is allowed in the event lane. If you have multiple instances of LogMan.io Parsec in the event lane, the stashing parser will not work correctly.

The number of instances of LogMan.io Parsec is set in the event lane configuration.

/EventLanes/mytenant/cisco-ise-1.yaml

---
define:
  type: lmio/event-lane
  name: Cisco ISE

parsec:
  name: /Parsers/Cisco/ISE/
  instances: 1

Read more about the stashing parser in the Stashing parser documentation.