Skip to content

Stashing parser

Stashing parser connects together logs that are distributed across multiple lines.

Declaration

Stashing processor collects logs with the same identifier in ordered list of length total_parts, starting from 0 to total_parts - 1, getting the index position from current_part. When all logs are collected, a single event is created with collected content part.

---
define:
  type: parsec/parser/stashing

stash:
  identifier: <PROCESS_ID>  # what field is used as an identifier
  total_parts: <TOTAL_LOG_PARTS>  # what field is used for the total number of expected logs
  current_part: <LOG_PART>  # what field is used for counting the current part
  content: <MESSAGE>  # what content is stashed

  # optionals
  max_age: 15m  # after this time, incomplete event is sent to others
  max_size: 50000  # when the number is exceeded, incomplete event is sent to others

Example

Input logs:

-------timestamp-------   identifier    current_part/total_parts   -----content-----
2025-09-01T12:00:00.000   1024          0/3                        user: harry_potter,
2025-09-01T12:00:00.100   1024          1/3                        ip: 120.10.20.30,
2025-09-01T12:00:00.200   1024          2/3                        action: login

Output:

2025-09-01T12:00:00.000   1024 0/3  user: harry_potter, ip: 120.10.20.30, action: login